354300x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:43:58.901{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50264-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:00.451{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EA3A6E057AC6F8A68A2847A7392575,SHA256=8A7D8F4BD72BE141D565DE11DABEB8740C122EC3141B85C2ECA7DBA4277392C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:00.476{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3517B873015C4D6EA41DF5205C9A8C7,SHA256=22EE0BAC2336933BB6C52B7D97D716814DE7CDAB9594F5413DCDBBDC36C75AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:01.546{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3584944DC68F612D4ABD001BC0E9A98,SHA256=817C019C8D121B1EEFA8FE2E81D760E60A6FB8DBB7A275168DDD0876BEA8729A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.566{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85900C07E21B04C5A0E968506C62D12C,SHA256=FAF60BBBDF6B08C3362FEAFA25F16E223F92EB52A28F9201A84B6F77EBBB8DDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:01.439{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:02.851{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D79166572D7319749DDD80585C8FCC6,SHA256=57E7952DA2B301F3F5911884E5CF54969F2258C1119AAB3BC803154C1A3FDFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:02.652{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB706ABFABE1936C57CDF8668695993,SHA256=C74E31DAC39AFCA8B00A37B80215337D68F016431048715F54F1ECE9966B4085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:02.533{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-045MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:03.746{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E946A171E1B3377EDD1859DF0B55A7,SHA256=7D31F8C66F3964DDFD6B9622AAE97E4E63C40F5271130D7158C7999F83B78665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:03.532{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:02.837{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53684-false10.0.1.12-8000- 23542300x800000000000000037947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:04.833{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA00F42781775BADF3800619CDFA670,SHA256=F90CCFE89950F5C15713CD9B462C4FA0BDBD67F9B55B2195C2D3937B4E3E45E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.761{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.761{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.322{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.322{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.291{3AAE424D-DEE3-630D-1400-000000007502}8641180C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.276{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.260{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.260{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:04.021{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920C698B244B741A4851055AE30A9667,SHA256=7C182F43639C5D2949E0D2706A0D91C31BAC9EB58E97D6773F4CB2EA448BF4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:05.934{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A72473F15DADFAB212999E0C5EED478,SHA256=C9DDA93340D2EC088CBF7F9802C4E838FFE6D48627617A583C06BE90AABC95E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:03.937{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50265-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.340{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC880F50F8C4A4F68C39C22C11C1951,SHA256=C29F29F77A58F08A953C9DB358D3A03E8F391EAD31F994DCEA3D491E31663536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.120{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B137FEBC54019DD1F01F25C3560999,SHA256=834D06451A4D0542FB6AD33A2C364D3735A47899CEE28ECD6D08B89D8D85D9FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.056{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:05.055{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9F4-630D-0004-000000007502}4252C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.976{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:06.211{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AB928D40B2061134735B869B5C1344,SHA256=E3DF81EDAE4B794A4E2DE0591F702A8446172755D30597CC2390BD306B3F2E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:07.297{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967B2E257352AB959EA6035346BF613,SHA256=1B22EC4E0E0EE8321E281137661C13C02DA74AD915C4221A4331310B359DD080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:07.021{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE65D8DC350FF157A66CE0485428F4B,SHA256=82640DB4C88D95E0B95CBD5B7BFA713CA021B106F5659324020231D893E9261C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=7531591CFCB1090DA5F6A3788D0B9EF39FB416C50F7A167EFFB1495E83DE5AD2 13241300x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-1152022-08-30 10:44:08.706C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=7531591CFCB1090DA5F6A3788D0B9EF39FB416C50F7A167EFFB1495E83DE5AD2 13241300x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.706{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:44:08.690{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.690{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.595{3AAE424D-E695-630D-9303-000000007502}28646088C:\Windows\system32\conhost.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.579{3AAE424D-E695-630D-9203-000000007502}55046024C:\Windows\system32\cmd.exe{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.538{3AAE424D-E9F8-630D-0104-000000007502}1604C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{3AAE424D-E5C3-630D-A9E7-310000000000}0x31e7a92HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:08.485{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F31491D29246E767555ABA248A03F2,SHA256=FAF2EC6D435DE4D8CD3B0F491F319B5168682C66AF9A604978C54511B91C7927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:08.108{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E706425B50B1802A7203FFBFEB0E85,SHA256=FF700F151EB900692ECB32AAE0124DB7CFFCC777315D493D772E3820A66F9C5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:09.986{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:44:09.986{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 23542300x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:09.673{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93740D876DA7D5E73B5B5E78DF6C3D6D,SHA256=E7910FB3CADD77E38C5A3114901D3301622D5D34315DEEE14C4C226AB6CCD824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.719{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=033D337EF9B8FCD8F92FA195CDD9F965,SHA256=F98CAD59E4BB8F6A01BDD100AA3264527DB9B0164C49AAD169D0902FC0CFAFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.718{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EEDC9FF5E7F2D31913516146FAE86984,SHA256=C6F32341DCDE294EC4991D149566D83CE3797A32BA440A8045E1A87E17F1B7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.717{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7657411E92B17ADBBD955B4BCD36DE67,SHA256=7703B0A9147988CAC10DB625BE725FBA67D72DFB0B2FF0532C6BC0AD67F6166F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.661{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.654{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.651{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.649{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.647{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.620{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.613{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.599{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.592{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.586{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.577{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.570{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.557{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.548{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.539{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.527{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.472{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.469{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000037953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.413{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.195{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FD1309B2B4B62079D1DDD764C2DF63,SHA256=BC15E07E1D061B92C32871AB7786128C18DBA6720909DDA4B36407522311DD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.767{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B4D4BFC88DAC8BAF6E253708A2FC5D,SHA256=F2E0D591F198008DB652D5328FF5BE2F14E41AC8CE8A831B79398886F0AFBABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.526{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0229918CE4A16C202E7D4445110F75,SHA256=29EE99F7A3DD195959F51E0BA83EABE0429EBC28C03BD9A0CE96E41323D60BA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:07.979{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53685-false10.0.1.12-8000- 23542300x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.330{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=11D1BFD3431EE1F39112B2CC277BDF01,SHA256=F9A661EB1F4EC8F60149903272DBEAF25EC477B2647D2F72A849DA027233ED93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.242{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.240{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.239{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.239{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.238{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.236{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.234{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:10.233{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000037981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.172{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.165{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.163{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.160{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.152{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.134{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:10.129{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 354300x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:09.835{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50266-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:11.345{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE42F2FA96D3765D6970AAA32E77519E,SHA256=01370F3B8F1CE391DC6548B6FB41EE50A9F2C865DBB4CFAE087C878644094A0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:09.175{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53686-false10.0.1.12-8089- 10341000x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.726{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.722{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.702{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.686{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.681{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.638{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.600{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.594{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.590{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.586{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.583{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.580{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.579{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.575{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.574{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.573{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.572{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.570{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.569{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.566{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.554{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.538{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.536{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.526{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.508{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.504{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.495{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.460{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.454{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.445{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.434{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.422{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.416{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.407{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.399{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.391{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.381{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:11.378{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.930{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45EAD79F835AB5883C8FB9438882E4C,SHA256=7658D874147D79A0304CF5800C2D13041C6799D25D692398C5650C05AD89E2F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.822{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.812{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.806{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.779{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.767{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.752{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.747{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.745{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.743{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.740{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.737{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.735{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.734{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.730{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.728{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.727{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.726{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.725{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.724{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.722{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000037988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.322{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49FA525D37239854E572EA0A6DCB2E2,SHA256=CE5B057DAEF77E0EE524352EFC545A4625B0498BE0C2720FA23F3D7978EEBE99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.270{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F686C1066F92F522E7917B50417D00D,SHA256=8DCA464C7F33A4C87B13749F96AD5ADD5BE5B350D29F1F4BE74F39D9CB736CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:12.081{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB5DBB94E2F8D823B67B75A6C565107,SHA256=93331CC095A189697037B83D1FBC08F3B3CFC8744D57DD7B297F07C7041900E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.204{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000037986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:12.203{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000038009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.389{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983004FFA18DC64ACBD3FEA99DC0B9CE,SHA256=607D84F30B87B5FC262E373ADA8C88D470CD32F5783CC7908B70A04FF835D4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:14.475{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AB7CBC043F030D8539BF585A88299D,SHA256=2442E02F72D98C2E2448328E212709F6EBB5D24CF52BADB93E1E3C8300E4ABEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:14.475{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D735EF27421EDD24F626FDACD61BF910,SHA256=FB5837E244ED0ED4C8C701C2B3FBA66FE52F64D660C4C312F72BEC79FDB34C09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.649{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:14.022{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90A302BCCCC711DD8D227ACF7915589,SHA256=09AECC544E61A0901E4EB175B6569BF4B26D9651E0F8F83A51AD3DE4D178925A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:15.566{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DE8C811A88763B5CBF744B05557B27,SHA256=E8E3C3B73D2CAE8EAA1E8C9898536C16F2BFB8CFBDC39A55C2EA1FB324265B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:15.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49F83F67D80C84CC3BAA77C56EDF3D5,SHA256=FE15AA12324C620532CDA28E3BCC1932BD8F7F926C76881CA65A5EE72A17EAC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.182{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.182{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:16.669{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C2DEA8C0DA76A6E871CB168EA0BEE7,SHA256=4A30C8052EC0CE1CA15D4327F7148D22D5FC62B4BD9E9B943B4B78407A863EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:16.540{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AA55020005CD68702C46BE8F15AC4E,SHA256=9C49069EA3195414CF931273E515F345F9AD9DA211C84FCFB9DC952190460E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:13.831{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53688-false10.0.1.12-8000- 23542300x800000000000000038018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:17.937{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D950CBEB36728E04F5B7BB8E9B28B235,SHA256=54FE49583082F96C4D72B0FF762ABFB5469E85B8455988BBC6F222E45C2D8F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:17.765{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7C9A11E946204FF9F57612695DE3A7,SHA256=7788461604BD3AF751D9874AEE286A141FA46C037B42C22F7199393DE940320F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:17.630{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B59949AE58D4B5898C8C5F1663BD08,SHA256=A06ED6DBFD95275D7C6401BB4686C0E669EBE6138FC5036DC0765F04D36E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:18.849{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B16FAFB0F015AEDD738F015DBFD1A5F,SHA256=FF11FA7C8D65FD0E9F5E13CDE046F0BE22936627A44F1786C22DDC0E198A56E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:18.712{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBE7A4A282D83B84B1E4626AECEBAFC,SHA256=D740F02F9E22849F590D5E8ADEF5419817995E4C7125368D7B95F44275A7D452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:15.731{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50267-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:19.944{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1B610B3769ADE5DAF0739CFFBB0AFA,SHA256=2416C513D54E3A5A0DD813AE09B4E5B1854229061FA72443CA4A0536B06E1A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:19.809{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F5548150173B08F213ABC0AAEF5BCD,SHA256=153DC5E6D287E2E55552300D0B090ABD2661E0A01238FDC199BEBA5AADCE0364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:20.892{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C318534444AA95C61D33FEF794924,SHA256=25684ECF1E9B3B466D37EE5755D374B91C86C4B94EE1ACF4EFC44CAF166AC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:21.984{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:18.970{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53689-false10.0.1.12-8000- 23542300x800000000000000038021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:21.022{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A1EBE658C5573C0011C5C2C5AF07FE,SHA256=5C8FA5EB9454E75814CA2D570AC169A3235303CC93415DE00B373F52538C93FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:22.097{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C54C843DBCB6645790E88793FC976B,SHA256=FEB940C8BE2DAA33BA1F4799E86C3B5EC42CB7127D5B5F2E7EA8030E14577999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:23.177{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F999F60D9FBC7A776717EC803C6FB48D,SHA256=F62AFDF470F0B8D4639D8F53DDE7628123192ACBCCB613B5D8045E9639358382,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:20.836{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50268-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:23.071{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.793{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-055MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.264{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C89737ED47EC34DD49D1C8E559A045,SHA256=E7F60056532AEB4BC686FF3A953CBE9528FB3D1CD024C14D456713FA42A02FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:24.160{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8EFD8EA69595DA15E93ACF6695686,SHA256=CCAD43BC8A9A3CB86A216E143EA9C5262E5AE2E3ED2B107E2CD7FCDDE4B43B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:25.798{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:25.336{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB0F1B7AB3786287FFA9121FA27BB37,SHA256=6C6C11CA784FFF6E9E260848FD1D8C7DA5A9522C45331E2D4F637621A5A090F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:25.250{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7DEEB84617FEC82F950C12351D6AB9,SHA256=63C7E985097508F6D2CBF0FC09DAF937FBD0CFA8DA43409E46019C19C25A38ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:26.425{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DEBBC91BCA763AEF965A7257E8AE14,SHA256=E6E3704685AF196D16BB70191758BF7624605B36BFD0A76829E80CEF7AD39EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:26.337{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B5A4B161F96C329D79F55E34FF2BC4,SHA256=856699CB41CFDEAACB3F569A853AC5988A9A653DC04ADCEE2DEDAFB744090315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.523{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36993607D3F713D53B01C9B02AF36C5,SHA256=78876D0C7751AE36D31AE717675246E92F093B20A45E66E012E856E4BACC3C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:27.516{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34B4EA953EB98139BB6819BD0663A49,SHA256=91A0461F8E905047E720114B854D90FD9EB06F3609102EA4BAF3B5053180045D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:24.848{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53690-false10.0.1.12-8000- 23542300x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.311{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:28.831{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05D311497D11C1F3FFD01AFF624AD2C,SHA256=F21C0B961C6953FD9BE1787DCD8A47EEE8724F1934819557210EFFF3556AE207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:28.493{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE592E82697E8D9EF8611A2259A025A4,SHA256=F4C802397E100CBC47AD49B0D39C0ED2A0E32AD67A33B3B13DF70F4FE868DB13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:27.000{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50270-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:25.913{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50269-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:29.922{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1443D79DF536FEADFBA538A991C6A97,SHA256=AC76FC7DC7138E713DD3EEBA5D560AB4D8759B31EC61367ADEC4D9DDB672BBC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.657{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.651{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.648{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.646{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.644{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.617{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.612{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.592{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.585{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.581{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.578{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1119ABAFAA87DE0351B638A860CA6E3,SHA256=0C622A28D5F97A271C5EE4C9AEB2E2F9CD5EFAA5DEBB520B04E55CA6C47DF67A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.573{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.566{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.556{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.550{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.541{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.533{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.474{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.471{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.628{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08625789869DF1F725DF77E5CDEFAE63,SHA256=845C705C64722641406408D6516E8CC6BA00A70CB4E13B1C9B125D8A5B53182C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.082{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.075{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.073{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.070{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.058{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.042{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:30.038{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:31.913{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:31.721{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005940CF9D7FD4C47337EAD1CC454C13,SHA256=CEA32CC5198E07B820ECBC0F1C23EEF44FF491F5AF77C7C27BFBB709F50E1856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.882{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.881{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.881{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.879{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.861{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.848{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.844{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.806{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.796{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.766{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.759{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.748{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.745{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.742{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.739{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.738{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.733{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.732{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.730{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.729{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.726{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.724{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.721{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.714{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.705{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.699{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.695{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.676{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.649{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.646{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.633{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.582{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.572{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.557{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.549{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.530{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.520{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.490{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.461{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.439{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.402{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.392{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:31.014{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A01EAA5C3CEDBC0903EBACC83E4045,SHA256=73726D99D5ADF63FEB65853A7790C7B0BAA86DF7A4A402C0ADE6DED7275A4CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.796{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D9DC46D5E09DE0DFFEE6E2A21B5F43,SHA256=F9C6CFF4F2FDA7B85BDAF7C738C9A370E65D77CF2284E21CE129BC95C35D3D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:32.301{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70167EF8C0E6E94B47B6433BA346C9D,SHA256=1804F7C9AE0D77F6339006FCCAED3F6B7C332D90C222603DFA736ADF28E94A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.721{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.711{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.705{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.685{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.677{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.662{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.657{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.655{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.653{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.650{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.647{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.645{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.644{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.641{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.640{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.638{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.637{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.636{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.635{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.633{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 354300x800000000000000038064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:29.936{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53691-false10.0.1.12-8000- 10341000x800000000000000038063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.115{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000038062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:32.114{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 23542300x800000000000000038086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:33.890{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3736D375656AE40AE985F878959ABCF7,SHA256=831A763F548D7847FD5F24657429D90CADB60C13D0027943B90F6613735A3C56,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.653{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.653{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.652{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.643{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:30.943{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:33.376{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7033534DF55AADCEFCA8DDBD2685C88,SHA256=D356F1958BAA2C4DF39702212CEBDFB9F07FB0598161C3ABFDA89A31189CE26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:34.968{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C9398F04E80383717E4BE68E8FCE22,SHA256=6255A7992ECD24D2D8FA863246B9FB28F7D52BB22BA2BA0EF058263658DC6369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:34.586{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBFD0CDCD76C4EA2CDCD3F4EE5FC01C,SHA256=50F0633B3596A8BD5628D8A434AB4B353F6746F1397151D72170D119517D1672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:35.686{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A900FFF75141C53943E1605405DFA0,SHA256=7AFBC71F3E588EBC218E78ACC7E4FFF3716D926C4AD78F6D384E313238799072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:36.772{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EAF46B2CD54166B1155AD7F20C20A4,SHA256=6322CD98B468D8BB24C4ED5CED8E027CB6F64AEB6B9B0EC304EDE9FE32A1BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:36.054{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FBF9A71C094B8DC39232A42A988A23,SHA256=72D919A21BEBEB3123D51E24F75A0F4C3F5AF42B64CB9F67FCC2AFB7562C7132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:37.871{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A390570611BB626E99212E4AB6F5A545,SHA256=EB5FFA73600593F3CA0C0EDB4172289952CEC338BF707F1B88F8CB1A3BD74EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:35.847{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53692-false10.0.1.12-8000- 23542300x800000000000000038089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:37.150{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3174B7C332D31B6097C3C5F6C550E06E,SHA256=D676E3CFAF72785008EDA8888BDE8A9E46A3F4C9810FADC804FC9DACE17723D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:38.967{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62124A8A82D9DDEE9E87602AD69B4B5,SHA256=2B597183AEF571206B0DC52A1942F433FCB391CF006B9CA009D09312C3B45D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:38.229{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F718EC4E85A22D4C126E04E4EEC7F97,SHA256=7F88964417CF2E1C511EF5DAB36D30330ABC4A464E6D9D1579936E80A0DB191D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:36.858{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50272-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:39.316{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE9697B3B4080321D443DDE5B90F622,SHA256=93B60B2254BB08F34FFC8F20798ADB8B34990A8900B2A47F8A4543922FAE5EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:40.403{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C6F8FC64FB808D2FC17FC489A1059D,SHA256=5EFD6E481BBDC71E16738A202E2E9498DD61FB5C563D7AF7F6E68B693546C371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}5203608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.954{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.751{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.735{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.736{3AAE424D-EA18-630D-0204-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:40.062{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31637210A1FF235D9B78D3A49A95A63F,SHA256=1B58E73C11E84F0C30039877AD21087E6B54CAD5BB5FA98CC0C494214E5D8077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:41.504{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B442229FEBE9CABFCBC4C501B23487,SHA256=365B4861A2CE6DBE814E4D4C106A77B1B5522357B4ADEA85D3E56743519FFD9E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.922{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.891{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B160998D972270500C68B6B926332A,SHA256=37637BD0AF937D447EF9BA2E4BA8CFCBBFDFB608C8F16EDBD979FFB26592C523,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.750{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.734{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.736{3AAE424D-EA19-630D-0404-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.453{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BC9000A2C4D80A124283CE59F6789C86,SHA256=8312B03E71E50A8ED176AC9C694B0C7729273413EB8C19D28D6D6EE77461F8B5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 23542300x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316D71A11DD63DBEF874798790802302,SHA256=1B42F629FA7B61FE57FBF7BBC42B0E5CBB2158A45C0544EF5B3CEA3C42C24F24,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 23542300x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2C1130532EED3D77D2CD7CC2B1BA39AC,SHA256=54BB5AC401863448373CA9CC23A3DBC052060FFF73D7F9D53FDC52BAD6E9582B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.266{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.250{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.234{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.235{3AAE424D-EA19-630D-0304-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:42.608{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2314A40203E82E8A6C1437451AE7AABD,SHA256=3D38689840FA46D4CF24BDCBD8245B4CB6998CA430C33ACC19A2F35AE0636D71,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}13244628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.628{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01425AA7143C66AA0A64B8D378F868E,SHA256=5725676EC8BA42AA48619C3EBFC2F18875D25C74E4FEB98BAFF05DE2F0036A23,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.440{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.425{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.409{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.410{3AAE424D-EA1A-630D-0504-000000007502}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:42.138{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=48E524A2A4515C03754E07644CE453E8,SHA256=BCD35ED76E09560E087FD1E24D44CDF87B334F46A0E8DB466D0D039AD3ECD097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:42.000{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D5229B56261CA868DA41A2DC8E2380,SHA256=CEA8EBFA4A36E6FA97B591805F3628612246D41EE955F049426F04E8CF2137DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:41.816{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53693-false10.0.1.12-8000- 23542300x800000000000000038097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:43.709{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804B5270C40F9981ACE78763A14F959,SHA256=2CF87D342F074506130E34908D5A2E114BB009C503B6CA3F14738667578AE106,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.982{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.981{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.980{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.976{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.974{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.973{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.953{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.954{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:43.750{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C52FE1A69DCDB9445A9CA3AFFBB950,SHA256=3F58200733D4F4F8D805C5BBDBAC176160214170B1C664E950A16ED1B2D44050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:44.809{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CC99D5D33D0125F53F4C88FF7B66A5,SHA256=3C3C49DDF0E01D277908201B3EC4C96DDF4B91423160E17ED2815F305AAB01FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.922{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603519BB69EC00D9D74C6487FE355E8F,SHA256=B7D00DB9FB676C5D2E779548DECDBAE337552AD5F382F01CBDD8577CF88865D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.906{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6549E0B02E024DF20217DA987B88E674,SHA256=629D951F2C9BBCB9CF1829BCC3F2DB566863BC7A324F8C344879094490256854,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}52485704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.813{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:41.944{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.634{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000028774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000028755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000028750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.618{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.619{3AAE424D-EA1C-630D-0704-000000007502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.190{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.189{3AAE424D-EA1B-630D-0604-000000007502}39563884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.181{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:44.179{3AAE424D-EA1B-630D-0604-000000007502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000038100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:45.896{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FA6089C88D75F535B9087B476A4026,SHA256=3D1D805D047B9027BEF83F4F924C5A40A4A07147083313149F9A16AD73488253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:46.998{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA275F2C57478DA3BA66D236BEB017C9,SHA256=69F58D67FEC7BC1D0886EFABE3170B8F5B60389936AE8C5576602BAFDA5F308C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000028855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.389{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000028854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.389{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000028853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.389{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000028852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.250{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.250{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.250{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.249{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.249{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.249{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000028846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000028845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000028844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000028843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000028842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000028841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000028840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.215{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000028839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000028838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000028837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000028836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000028835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000028834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000028833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000028832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000028831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000028830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000028829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000028828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000028827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000028826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000028825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000028824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000028823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000028822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000028821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000028820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000028819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000028818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000028817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000028816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000028815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000028814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000028813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000028812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000028810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000028809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000028808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000028807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000028806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000028805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.198{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.199{3AAE424D-EA1E-630D-0804-000000007502}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:46.089{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BFEB48FE5584B70F4F4A86083B9848,SHA256=0A0E7530D1E6807794AF27F5BC03B57E62AA3B7BB74D54FFD3F39F1874FCB38F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA1F-630D-0A07-000000007402}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA1F-630D-0A07-000000007402}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.618{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA1F-630D-0A07-000000007402}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.619{BEA5AFC2-EA1F-630D-0A07-000000007402}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:47.281{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D6F1057A553D1CA06470D231A84B2A,SHA256=DD0BC1968C2EAA4FBE7D643213BE70D6CE3C6FB25BC5CC39C0779D5E7B09E347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:47.281{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=029ACEEEB92E393FDEF9BD86BB5AED67,SHA256=3E3A80FAC2454411A66722D80791BB5781A70893A44FAC00863E2737B7BD2365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:48.394{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74627CE8C2B8D27589B0103E8532978,SHA256=67257E606341240C9AC33A361782E89BCA66554B63C7E8B2CCA150BD4A58625A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.966{BEA5AFC2-EA20-630D-0C07-000000007402}60206336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA20-630D-0C07-000000007402}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA20-630D-0C07-000000007402}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.810{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA20-630D-0C07-000000007402}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.811{BEA5AFC2-EA20-630D-0C07-000000007402}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.732{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7B1BF3881CBF0BFA5BE0339EE7F56E,SHA256=725B8EE12C89E9C67A9A426147027120940EE497D67693F2A3DEB2BF7400DAB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA20-630D-0B07-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA20-630D-0B07-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000038114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=70F244C5671F339DE19A5FC1B425F9DC,SHA256=FC0F9D65B0A539240A465E44CED13B805CF0AC4D0CC411DCF7AD133CD041CACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.293{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA20-630D-0B07-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.294{BEA5AFC2-EA20-630D-0B07-000000007402}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.278{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EE68254AF84EBE708DE83835002A57BC,SHA256=6600BBDCCCA958FC21000171DAF47C7B7A27A96093BFC76D928EFEFAA92F90F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:48.087{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CFB4F7BED85E346057BA6FD3C69FFE,SHA256=4827E19B354F8C83D41E5274D3E26B55A279FCCD39022EC44CF4ECFB9F2CC413,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:47.946{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:49.490{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8DC6D0305EFCA488539F5C69C7617F,SHA256=7926BABACECE64871C10C8B9D1D64B136B0B52E2B116517F123D8F5D94BDCAAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.942{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.938{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.937{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.935{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 354300x800000000000000038162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:47.817{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53694-false10.0.1.12-8000- 10341000x800000000000000038161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.930{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.918{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.915{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.614{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.609{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.606{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.605{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.603{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.598{BEA5AFC2-EA21-630D-0D07-000000007402}63846868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.579{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.574{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.562{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.556{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.552{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.542{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.536{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.526{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.520{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.513{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.506{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.474{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.472{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA21-630D-0D07-000000007402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA21-630D-0D07-000000007402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.430{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA21-630D-0D07-000000007402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.432{BEA5AFC2-EA21-630D-0D07-000000007402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:49.177{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A2418D14A6EC5B8070D14352146D96,SHA256=FCD131A8CB3B0BC00898359EEC78653049E45C82EF7ADB77FA503F7422561B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:50.585{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4F668117ED090AF4C9D850FE2843AE,SHA256=F921DE2C631FDAE65EEFBC5A34D2D0650C4AF7E8B66568D6AE1D8BD05B280DBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA22-630D-0E07-000000007402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EA22-630D-0E07-000000007402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.555{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA22-630D-0E07-000000007402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.556{BEA5AFC2-EA22-630D-0E07-000000007402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:50.334{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5247E20E3F1782C9510D44030A0B4E79,SHA256=203BCBE284B6892F31C4A68456C77083410800224691161F8B9EB446995D0444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.760{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.758{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.758{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.754{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.736{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7B2E13538FD14D7AD140FAF1F2CFF7F8,SHA256=9AB35FDE7BE93AF9C33E89DC00EDBDA8F55F5D8BBADC541F51AF1E3A0DB89CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.725{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.710{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.708{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.670{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.660{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000028895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.655{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C1BE240A33D1F0A9E32399B2C4357,SHA256=7F0E7EBF9850B505F3106ABBB89AAFB54A1AAEFDA707298194AEEFBC5859A037,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.635{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.628{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.624{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.621{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.615{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.612{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.610{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.606{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.605{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.604{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.603{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.600{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.598{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.594{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000038195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.976{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.975{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA23-630D-1007-000000007402}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA23-630D-1007-000000007402}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA23-630D-1007-000000007402}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.900{BEA5AFC2-EA23-630D-1007-000000007402}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.427{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2096EA0A51E401F37B3E9C843A5CAA4,SHA256=4F2DCC9195E2623A6CAA6FE879F6C2E101A4B002732BBF25894ED3D8B59FA656,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.365{BEA5AFC2-EA23-630D-0F07-000000007402}58246500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.585{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.578{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.572{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.569{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.562{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.538{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.536{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.525{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.484{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.474{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.459{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.448{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.432{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.425{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.418{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.409{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.395{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.379{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000028862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:51.376{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000038183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.226{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA23-630D-0F07-000000007402}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.224{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.224{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA23-630D-0F07-000000007402}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA23-630D-0F07-000000007402}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:51.223{BEA5AFC2-EA23-630D-0F07-000000007402}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:52.744{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C950D1FBA4AE5E6057900E55CFA2AB8,SHA256=35359D6AC513B6C8424A19664AD95D86AFB77F5B3227B8E7E7E324C5B7C5A95A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.566{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.558{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.552{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.534{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.528{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.516{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.511{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.510{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.508{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.506{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.502{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.500{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.500{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.496{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.495{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.495{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.494{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.493{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.491{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 10341000x800000000000000038198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.489{BEA5AFC2-E595-630D-7006-000000007402}52726512C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000188D9A50) 23542300x800000000000000038197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.394{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2278570CD210C20BC8E8439A6F5E607B,SHA256=CE1A3DEDE6AF717FC5629FBC896037945C70BABCD1214EAAC050A218B5BACAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.054{BEA5AFC2-EA23-630D-1007-000000007402}7085260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:53.840{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25288B8EE8BC208C90B146B13006169,SHA256=8B469A1E7E4854AD8803BF89ABDD9D0CDBEBF029FE69A1342932D5096B8B33C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:53.451{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7A881BEC7E8ED6BBE871284296FE97,SHA256=5BF016EF93BD32248FF9418A794B8B7C2DA0C15A0927C21AF0B3D45931480318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:54.938{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBE3881BC543159615BD9246DC934F4,SHA256=B34A6169C8478B2D6B5F6AE509D2DFC6F680305500670ACF8887EFF40D0D5990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:54.552{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E697819F39A2478318295FF7F8839387,SHA256=B772CE49B7F4F60ED074B79CF3E80E4BD88B4A94E30ED8FE8791CBC7CF53D1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:55.646{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF4873518CB34D1014DAD2D44AEC69B,SHA256=9E0A79AE166D9362E0C66CFAFA7BC8B9A50C82E69C51245059D24405C2CA5D51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:52.837{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53695-false10.0.1.12-8000- 23542300x800000000000000038222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:56.739{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42567FFDB36CFA064B48D0E83EC60C16,SHA256=01F92A60D760266C828BD96BF0D311373667E9927078C47D3B1286FA3E82B97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:56.053{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758EA505160E36249F83A63BA13A685E,SHA256=7AE8B6E3125BDFCD4D7AD0CD96CA5106413C7470B00CB234E883F6234D296452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:53.893{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:57.833{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796923A60CF850ACAB4A399460F5CC96,SHA256=6AA971A1987180E796A94FBEF8C439608F044E7863016FE938CC23BEC31DBAE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:57.133{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8725FF9D4C3802496A7370094614B1,SHA256=A0B5E1E75425E4DDA5E2EBE8C8D0DE1531B5BE236F2A5FCADCE730B4E1AB6884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:58.926{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47F40DF481C28D4EDD336B2A4368B06,SHA256=90867349E34B398D43B5B5177D6C40F810B48C4AE6603F2916ED64145F501F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:58.341{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9443D1D5820AD0EB23D90863AC1377F5,SHA256=5449F4720B1D451DEE3840C10373E8CB69820CFB50F31337757FFB656B674A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:59.443{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710AE755605EEFCEFB13D0CFD0A2EEF3,SHA256=821A76882A8D50C85A2D00A4D814D60D9FF4BFE1753F58116E03B1EDAFDAC77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:00.649{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B277903F89EB723296B68B556075110,SHA256=846C18A778C38DD20367F7BB1067562DC01C8F0FCA2859E30B33DD1A29179E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:44:58.829{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53696-false10.0.1.12-8000- 23542300x800000000000000038225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:00.008{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC987FEAA107CC02C7851C08B1031A68,SHA256=87797F8C91D83C5E0499A387FE4C62BD27E5E54543C5D4487FCA8DCC4F77DE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:01.730{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3E7016557447A0F36CFE54FA4DB020,SHA256=EC3AF8D51B1424BBACF3AC0BC41324CB6B2C8A7A48A991664477DEE8F2E6DA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:01.097{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C846AE454C73B3CA7C591F2B4F3E49F2,SHA256=FCD11468DDE3D7C9859C7D7DB11EA9BFABFBC9D17E961BDD453D482F289EDE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:02.914{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FA8344C07728A4169114A685951FC1,SHA256=4C2DEDADB2FCA55747E8A4E77A1647FC65D645B30069B3FDAA0FC84830885B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:02.206{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A358F229E39A88B8D1E6C7824DB776B,SHA256=72FE458D021425C68AF097CBC3FC658EE6CC062FA1428D88D2B268EEED717425,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:44:59.889{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:03.294{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6E9FA15FEE8FBB2B17F62E64A0B63,SHA256=5D27756D7C46C112FED8FBED0698301ABCE9FACE0DDBC66D18C393C143FCB365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:04.382{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0EC69DDF9B92E51CAAC025F3883600,SHA256=B1D5133AEB38AD9DE32463066E298F38E5B80BC3DD494F062132090320B67D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:04.104{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A21D926CD93054648F87446ACFA2A0,SHA256=ED34813D6B310F0BAD37E52AB9D242EC0F8CE5FE26751A43FD322A324F8CF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:04.045{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-046MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:05.469{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFF8D2DB7283E1D5547BCD8A8BDBDDB,SHA256=EAA2AF8B0EE2E9F705CA740E7F1A9C713779800B050FE18DE7771037DF4C51B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:05.316{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9226DB7A32531742BD6FE0F5C78E5,SHA256=BBDB55497C51B37218F49FC360342DED3B0929B7EFBFE4B693195552666678A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:05.050{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-047MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:06.576{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8BE9CE21F1EAF2A46AA2E16F0911F1,SHA256=67CABE276269E10D32F1A57AD7AD04713EAAB8D5346171A270CB832B78831BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:06.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8550BCE61D8E284E023D72D15203CF6B,SHA256=B515921551502D6FC9D5372118649B1FDBC0472DC8C08F9CA80CC847107A9EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:04.003{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53697-false10.0.1.12-8000- 23542300x800000000000000038234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:07.663{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19ACE86DCD63AC08E1103CA59B41D03,SHA256=FE5900DB2D8655E4FF1A4D77AF6745666790E821A2DBB1980EB83A5960973892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:07.506{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E450FB13768534CF8F053076A895B01,SHA256=ACE9A365B98E49CA27C6900AA3D94BC6741D633AFB75FFFEA3536F13C74593A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:04.931{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:08.710{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DEBE64AD80B4F86F2C601BC23C2AA0,SHA256=7A8A7CA8F1D600D97581AC25F942AADE802C56EE3952DE39FB6317CA31869EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:08.756{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B1804C48B67F3B32BD7FDF0557C62F,SHA256=687B5ACD4D55959C3B15438BB10F01181A68AA511DA4B4D8A93B7DFDA9AFEA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.825{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770CE30E502E3117E2D7EC90C9EAE57A,SHA256=B989CE901EA0E9B2799C8152874100CCDDE2DC16009E449ECA8B228A1446D155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:09.802{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3315D604FCEDA283A6D821B217382CB0,SHA256=E1E6F054B96103B9141F335C840E80D6EEA029833FEDA857121D40C25CFA0BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.629{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.623{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.620{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.618{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.616{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.591{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.585{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.572{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.566{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.561{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.552{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.543{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.533{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.527{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.518{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.511{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.472{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.469{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000038236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.443{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:10.897{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823EB6B8858B8FB894DDFA1F92A974A1,SHA256=CC01FB3A5663733F2AB44CD22EEBD50E5C9226182B62F41CF5FA4141D59E7F6B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000038274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000038273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0035a045) 13241300x800000000000000038272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0x321dc85a) 13241300x800000000000000038271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5d-0x93e2305a) 13241300x800000000000000038270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc65-0xf5a6985a) 13241300x800000000000000038269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000038268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0035a045) 13241300x800000000000000038267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0x321dc85a) 13241300x800000000000000038266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5d-0x93e2305a) 13241300x800000000000000038265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:45:10.961{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc65-0xf5a6985a) 23542300x800000000000000038264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.899{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F1E7464E2F1B9DAD0B2801B3A0FA03,SHA256=248B374E45CF4C05722387B584FAC3B5EBF02C944E08973AB6676D556854C757,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.017{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53698-false10.0.1.12-8000- 10341000x800000000000000038262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.047{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.042{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.041{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.038{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.032{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.013{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:10.010{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000038276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:11.980{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B61D8C81A8C9F7EE80F0B08DCA7B0B,SHA256=F9E3D13EA725B4B59FC67753A2C2075F84CF5F32016D65865CCF5424DFEF4448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.775{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=17742A3B43B3631364D07A6F57269B1D,SHA256=FB595FE15E26BA8A2AFE408D612BB521785F8B16580AC19D9C341D7589DD4DA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.735{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.734{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.734{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.732{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.715{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.697{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.695{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.661{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.647{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.622{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.615{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.613{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.609{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.607{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.603{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.601{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.592{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.590{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.588{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.586{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.583{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.581{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.577{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.573{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.557{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.551{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.539{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.522{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.519{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.510{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.477{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.469{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.459{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.453{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.439{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.430{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.421{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.413{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.400{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.393{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000028928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:11.390{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 354300x800000000000000038275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:09.205{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53699-false10.0.1.12-8089- 23542300x800000000000000028971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:12.531{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60AF2D9B6B09D524D9DD632EDF8D54A,SHA256=760DDFF0551D9833A68DEBCB6176E52B4BB2C2FFF4F287FC2789A19FD3BA30D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.700{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.690{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.682{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6406-000000007402}2624C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.657{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.651{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.641{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.636{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.634{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.632{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.629{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.622{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.619{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.618{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.614{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.613{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.612{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.611{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.610{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.609{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.607{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.092{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000038277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:12.091{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000028975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:13.710{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367454C3886604F435E9F748B5FDEEA3,SHA256=7E770D8AAC50B18F5103843497378B2F481BEB1723EF939E5D052A4CDA4A5D03,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:13.710{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000028973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:13.710{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 10341000x800000000000000038313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.897{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.897{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.897{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.896{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.896{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.895{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.895{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.895{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.895{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.892{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.892{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.449{BEA5AFC2-DC7F-630D-0B00-000000007402}640844C:\Windows\system32\lsass.exe{BEA5AFC2-DC7D-630D-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000038301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.323{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.323{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.057{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E497185766B88224D0A5B28E2480A3,SHA256=9E29B7F8A9C5EB647E97423D185A35D1F3E9C41B5271A9AD4F7F0975F6038CF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:10.837{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000038324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.230{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local53703-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000038323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.230{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local53703-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000038322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.195{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53702-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.195{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53702-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:14.481{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE2C31EEAD6179AFE0A685FC0EFF435A,SHA256=F2A5FEDA11BA239CA70F65157B01D69169FFD69E50339A8B02AB885403A194DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:14.481{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=366CED5FE2B8CC7693922FB1E3720468,SHA256=28C57B5DA7FB0491CA12FE5581A948A56A40E088B257E35E535A8C6922B9120C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.113{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53701-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.113{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53701-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.104{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local53700-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:13.104{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local53700-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:14.153{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11558C41CE9E832640BFAA42D67E94A,SHA256=BC6E93ECD2CF7672581503CA16D8F84C2833DC3467FD3746F5AA468398B2C7BD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:14.411{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000028988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.353{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.352{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.352{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.352{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.352{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.350{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.350{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.349{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.349{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.345{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000028978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.345{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000028977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:15.022{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284EAC27FDCA64DF8DCB811332C766F4,SHA256=CBF547BBA41926D869220475D2A2EF40F46571498B09FF8A0DEC86ACD04D09DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:15.243{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3258BC4E81DC286CD3532B7FE3A5C62D,SHA256=2B162E2B5E897A9097B6F74169259CFF11847671401D236397AA95BF87208DBE,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.565{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000029050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000029049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x800000000000000029048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-DEE3-630D-1400-000000007502}8642264C:\Windows\system32\svchost.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000029045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000029044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.550{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000029039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000029037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000029031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000029030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.534{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.519{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.503{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000029026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.503{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.503{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000029024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.366{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000029023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.355{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000029022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.355{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 734700x800000000000000029021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.349{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8,IMPHASH=33685761AD2886071A8D7CFB81130BEAtrueMicrosoft WindowsValid 734700x800000000000000029020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.344{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 13241300x800000000000000029019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000029013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000029012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.294{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=F16F9896C90C06D66C3538AD9DA011F7,SHA256=EF2A5483794B7E4D836393CF2F4C3A065719855C16933D25C219E620BB692A8A,IMPHASH=C336F93278ACA9710F465E21059D5842trueMicrosoft WindowsValid 13241300x800000000000000029011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000029010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000029001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000029000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000028999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000028998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000028997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000028996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000028995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000028994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000028993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000028992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000028991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000028990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:16.263{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 23542300x800000000000000028989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.105{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AE4241D4976E80891994EFC25B6F7C,SHA256=991B712CF9F0883D0F3C443DD891A8717B075B07E601D73EFE886C653762429E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:14.942{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53704-false10.0.1.12-8000- 23542300x800000000000000038326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:16.325{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5F939FFC151B1A155591477296C237,SHA256=8D95C7E366D0CC870B00EA1C13E3CC15D0973AAC00BA38ABD76B21128E49D8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.529{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E00988449A6EA6F51BF772C2EB03214,SHA256=219257D7CA9286216E0B103187348047D2BDF2B75C4BE1A6057D6368FF27B037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.498{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AE6AB740DCFEB2074F023E53393268,SHA256=E50BD3778F37B3642DF4F4BCEA9AB34EC1521BC944459EB92354FFAACD2326DC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:17.435{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:17.435{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000029059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.382{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.381{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.381{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.381{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.381{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:17.380{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA3C-630D-0904-000000007502}3472C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000038329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:17.489{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EC78D4486F5ACFD25877F126C1E62A4A,SHA256=20A1CD0F35097D19C920170000B88B73D3D3629FFC78E6027FB8671114E73BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:17.411{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978B69E1DE864FBDF11ABB7565B574B8,SHA256=AF5282EE06329B682547AB166DACE9C0488E7C3B45FDDB1AB9CC33F6DAFBD1DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.495{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.495{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.448{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.448{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.448{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000029094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.432{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 23542300x800000000000000029093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:18.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEF409C6CCC5D9B45B6084F78C4EF13,SHA256=367471DF881E800C279B8C01FF9ADB9708162632B7026B2E8A0D568A7B247DEA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.417{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000029091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.417{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000029090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.417{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000029089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000029077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x800000000000000029076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x800000000000000029075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x800000000000000029074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x800000000000000029073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x800000000000000029072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x800000000000000029071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000029070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x800000000000000029069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x800000000000000029068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.401{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x800000000000000029067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.385{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000029066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.385{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 23542300x800000000000000038330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:18.510{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6590A12EDEC1580699638810C0A8A2,SHA256=ED74A3B0925F61308ED1EE72FEC6581AA3CEEC4751E4944DF7FE7F14A76E931C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.385{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:18.385{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.787{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.787{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.768{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000029132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.768{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.768{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000029130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.736{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000029129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.736{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000029128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000029125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000029120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000029119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000029118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000029117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000029116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000029115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000029114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x800000000000000029113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000029112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000029111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000029110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000029109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x800000000000000029108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.721{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 354300x800000000000000029106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:16.759{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50279-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000029105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000029103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListExBinary Data 13241300x800000000000000029102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000029101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:19.531{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 23542300x800000000000000029100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:19.515{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7AD7E95A3019F379D8E3E3ABDD995A,SHA256=1EA98D1FAC606BB96E732CCAAE962A3AC4DF2FCB02AA9AAB6251AC25229F17FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:19.595{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91FF3F3715FC40F7EA93E5331D7D802,SHA256=92BF3D039BECA61F2DB9325AA7BD90E5D9C632BE95C8BAF89A7189ECCF48E389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:20.967{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E591BD2539B508BA54829311C8230CC,SHA256=5F4E633F29A66EE1DCA4F90A8270C19C4C438E41B0A48A93078F556DF71E0776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:20.692{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430255ACBA694A2EA8FCD1554CDDE784,SHA256=60234C4A90A30D695008EE5EAC1EF67DEE32356CE4C3377F9F6106CC4091EF77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:21.793{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7C7A2C49A520C698DC16B237719C75,SHA256=B8333CF6C428199BB072E8DE6E94844134FEDAF482947ACDADFEF44C896921D7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:21.894{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=4849E9F93A0F34EC87F82E26049B47FD,SHA256=ADA89724741D0053E8322199764BDF5B39F7B94C0D973248D5FC7AF2F59C8590,IMPHASH=FA770D60A54EF20694B1F385EAA957B5trueMicrosoft WindowsValid 23542300x800000000000000038334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:22.874{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C74D841657058838210825A688A6343,SHA256=3C6B6500FF29D41058BF52B9DE6F86972BCC52FF067E7376F3398FA8F924F977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:22.034{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3790854177F7400DA3ED8E346C1E3D34,SHA256=0043B9288745CE1E637A517466D569D706430DC0B9248F6A9723B7AA646D71FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:23.968{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847AD9861F26A0ADABF9DFD698D80822,SHA256=C0CC59FF5A416CF6F5197556009C4165E4D734154E230C73CCFDABB2D1C44A55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:21.900{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50280-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000029144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:23.132{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:23.132{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000029142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:23.132{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B02F2\VirtualDesktopBinary Data 10341000x800000000000000029141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:23.132{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:23.132{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A83FE6D3D804B613FBB485210CCD1C,SHA256=22A96FECF5F2F59B809123F04D871AB370DD2EB63BE414F9095E6991EB35F246,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:23.116{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 354300x800000000000000038335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:20.865{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53705-false10.0.1.12-8000- 23542300x800000000000000029146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:24.228{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AA63BF4E46868E688DD1CEB988BCB2,SHA256=DA82764BD70EABE7D0E7ACCFF71AF5F93821BF6A4E41DBE61875334D0BBF6A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:25.329{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E808BBEF2874F9C7D117506A8404F090,SHA256=3C0CA7F46D9CBA6015874420BBC347B4BB54789ACCD45CEEA4EDA613B2EA088B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:25.265{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D1D5CFF809E9BDB70E17E5857AF8C2,SHA256=492BE1DE5A00166820FDFE74EC0A5E2467D43659338FCFA6A99EE422FF48CC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:25.063{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4B13476F673F34B319E1254D27C62C,SHA256=BD420DF1F26FE7B06ABDB735F58E96843523F19A1634DD00C43188CC671F0133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:26.415{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1FCFCC4AB7719CCF47D3D3A8079CDC,SHA256=11F8DEAB71800C0B51A647E27910F4F84CE806C4033B773322B7E97A1FE5ACC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:26.321{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-056MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:26.163{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0D2D331C5FAF8909F48792D3254B12,SHA256=46A2917034066A0940B58E5A86005D9A5A23EBE9EDC3FB00508BD5FA11865F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:27.496{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48609ACFD132F35BAF06AE375EA89860,SHA256=9C43FAAB2F97E911B2FDBB4DCE0FEBC1DAB440A38FBFB774421BFA71798127DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:27.329{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:27.249{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2A2DC67B2A2BC53760248313F64591,SHA256=6849B16A166268DBC95E76587DF5621DB3E05F4A30ECD439230D7A17B0EE2031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:27.340{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:27.034{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000029152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:26.924{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:28.590{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7728D84FA52F3997BF42AECDF3A59F40,SHA256=B7F691903CCCE5B60360B2ACE223B2933857A724F61CCABD9811C6838A4A050C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:25.939{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53706-false10.0.1.12-8000- 23542300x800000000000000038343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:28.342{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2EAD4FB6631CE0DC3B78FB81A77639,SHA256=369153E01AAA451AFF9378AF9DA0E4B8B6E72F5FA516DB0CB15234AE44615F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:29.689{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468418A8A550D61B5D76E15F1709F5CC,SHA256=A8056199508F755F19D2852957BC07F3FE7A3E6C26F7DFEFE2917D8B95DAE89C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.629{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.622{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.619{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.617{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.615{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.589{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.584{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.572{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.561{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.557{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.548{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.541{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.532{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.525{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.517{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.508{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.470{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.469{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000038345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:29.421{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0EA6C45EDF254966EC58152615D8F4,SHA256=B66190E7E746339BBB1D8AE1C3A05EC9E26D6FBA36C4F4E02C88AEC8BF5435E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:30.781{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A8D09A88085A67FCADD376935BE742,SHA256=E965927D2376D12A677C875F58EAAFB7034D12ADE0B2331DC4A671DC1AAB46CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.456{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290598F662D918D829C13F01E0841FA7,SHA256=5CC630B2BA0D3E376C6582DB3B25CF8D06EC23E4861240F1448B56A11C2E70D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:30.359{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B02F2\VirtualDesktopBinary Data 13241300x800000000000000029158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:30.296{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000029157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:45:30.296{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B02F2 13241300x800000000000000029156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:30.296{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000029155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:45:30.296{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000038370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.038{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.034{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.032{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.030{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.024{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.010{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.006{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.925{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.925{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.925{BEA5AFC2-DC7F-630D-0B00-000000007402}640364C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.913{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:31.540{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51505960E139CF31A771388EEFAB62C,SHA256=64486A653CA739D52A4C57EF9B0BF1F3CB1C9FB7EFF9E03AABF61AE435E0A9C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.758{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.757{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.757{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.754{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.739{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.724{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.719{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.681{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.672{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.650{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.644{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.642{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.639{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.637{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.634{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.633{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.629{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.627{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.626{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.623{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.615{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.613{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.611{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.607{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.602{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.599{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.594{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.587{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.569{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.567{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.557{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.529{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.523{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.516{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.502{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.490{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.484{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.476{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.458{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.441{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.416{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:31.409{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000038398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.689{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.680{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.653{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.644{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000038394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.638{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D67B048913FB41AA42ACC20F1CF0E6,SHA256=C29EB2E3544F33E33EE24EC519D0300DD599C35427FBF7B6833525E38D240387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.625{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.619{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.617{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.615{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.612{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.609{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.606{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.605{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.601{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.600{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.598{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.597{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.596{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.595{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.593{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000029203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:32.182{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F831632F55A6D24C2137DE22716A8525,SHA256=382FAFB39278AAC934DDA6E3FD5A4A2A59527DBF00AE9B8FD1287854AD4254A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.086{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000038377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:32.085{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000038400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:33.610{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDADB8AE088017BA02EB740E818FA09E,SHA256=3CFCDB91B243D4964403A8F82D8D9D9919EB20F36CB72C54532FE85D552CDA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.657{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.657{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.657{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000029210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000029209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.642{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000029208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000029207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000029206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000029205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.635{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:33.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1754BB7F8C69AEC3954E257A8DE927D4,SHA256=87104430E69445B126D2ACC99B6CDC4E4B85254D4F12F6441C809D469644B46B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:30.954{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53707-false10.0.1.12-8000- 23542300x800000000000000038401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:34.704{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFDDCC52160DBB5C0D8EFD75110AC30,SHA256=8204D336AF4FFFE7042B79D1A7F28B87838F581AF5DAEAD287096B8900EC7D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:32.762{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50283-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:34.359{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAEA56F5745CBD2CA014172896BB127,SHA256=44526824D0F99D303BF50B86C02CBB7C92EE38B028B0C39D361C403827023DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:35.803{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6351D74333862DE4192E8DC1DDE933E,SHA256=4F535C3367146D05C5F548B4BF9F7D9A64614344988A97EFA992DA376642AB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:35.446{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851AC84139F9ECF2FC8263FDDA31036F,SHA256=95EBA1B3AB581C7A8FDFE71BC37238A9E0827AFEBD29E838E7DE5AB7EF1A9915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:36.903{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6379B9A41B13C9EEB0F6F5814FC54F,SHA256=AA667AA80EEA82331C82AF6FFA42D21A49345AD5D1EB767AE37F09D412DAE819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:36.536{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC27792045BA9F27DBA1E4771D4BA45,SHA256=94AF9496FFECF2254E61F027F6EA6B206B61986C01A75E8EC912D8A938ED9561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:37.995{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6482ECC54C65DF1A8409FF41DB4253A,SHA256=6CAFCE1721D970780FF9AE0AD74E7EAA55174E8F4F0B1E52A3B956BFB0B4EEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:37.627{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96B10D868144ACE223AC55D41E6ABAB,SHA256=A65AF51A518B0E9BEAB858EFCE577D85C62042DAAA1368D4B6C34455F028989E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:38.724{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25495ECB21599313BC9FA4AD0F6CECB,SHA256=39558ADEEE916D6720D3043831143C5843CDBFFF943A49762F7D9C851E62B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:39.820{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B03B60BE6783AEF0542391A5DE7F847,SHA256=473F651A4078CA1A892D09649990458B28AB347CAED793FB3DA188070F809520,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:36.978{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53708-false10.0.1.12-8000- 23542300x800000000000000038405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:39.084{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB84423C84BD341A93C9FB7D2E089ECC,SHA256=DBA41B471061AB2110F592ECC5F6677850FC6E8CBEC2AF2A7C16780E2E8A84D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:37.917{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50284-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:40.179{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB4A57B446A5CC8C8F03FBF206B5E8E,SHA256=4C9ECF2B25244360A59BDE8148338E9277D86E2A67D93AA9A8CEA580C6687E91,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.889{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.889{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.889{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000029270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.749{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000029237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000029234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000029229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.733{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:40.734{3AAE424D-EA54-630D-0A04-000000007502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:41.274{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4CBCB95EC7D1F71365913EC73CD0DF,SHA256=70C655F17E1259A175B8829658522E3D4F5440A72AE1C99478F95BABB9F0BF64,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000029354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000029351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000029350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000029349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000029345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000029342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000029339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000029337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.975{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.834{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5794D228E53C00D726C4F294D8234EFB,SHA256=D8B0789E263E2847A08BE0819983EFE87DF7080BB3E7CB7081F213B7AFAB3B0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.740{3AAE424D-EA55-630D-0B04-000000007502}55524872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.740{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.740{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000029329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.565{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000029323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.509{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=745ED6F08C86576E512E8C1F843FDBAD,SHA256=8C2C4A8F1B2FD41C346862CC7682D88E7B075C19E8738C7472C76E4B0B41DEB6,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.422{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000029286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000029282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000029280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.406{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.407{3AAE424D-EA55-630D-0B04-000000007502}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.203{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894E13456289D9AFFFC49D50DCB4A934,SHA256=3E22E3C57925CD8912BFDB23BA5F9CDE5C816B9EC33C8A4B1BA3B239D377FAA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:42.363{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4CBAF9D08F2AA829DD81089FD48A77,SHA256=430AED55F9295E416A7D2B9A2236FF5E14E1DECA9EE312EED04766F4C5AA0DCC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.683{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000029447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.683{3AAE424D-EA56-630D-0D04-000000007502}57124308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.683{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.683{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000029444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.625{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.624{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.624{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.623{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.623{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.623{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000029438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.502{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.500{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.500{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.500{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.497{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.497{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.496{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.496{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000029403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000029398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.475{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.476{3AAE424D-EA56-630D-0D04-000000007502}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.257{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5C8AEFDB2DEA8E1A55605AEC4E20C5,SHA256=431BFD1A393B4EBD56331CDD8E95AFF19F43F88E7C63630782CFE03DD1337E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.241{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F34A44EC94CEA640BA0385482D79CAC,SHA256=6D608B1B634F7183D2B989735E2695897341A526734A3A5674FCD9B20735638C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:42.144{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1215549192962EED7E64FB1DF85FFA85,SHA256=42548A65750AFACE78AB84E0E976BE7E2028100C7E9EF408FAE663EF84C4C7F1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.193{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.177{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.177{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000029386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.177{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B0381A717928D67D39739872D497C32C,SHA256=7B0083F31643DE59D357BB48B938887F938A431477ECFDCD9F3DC5DE15F0029E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.990{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000029376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:41.974{3AAE424D-EA55-630D-0C04-000000007502}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 23542300x800000000000000038411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:43.451{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D16611057AB54DDE1DD71A5BA89F5B0,SHA256=C49B63E1425C0FE56F048412E62F1C535B2A941C05E44C1E445ADFE8A67CB8F1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.976{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000029464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000029461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000029456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.960{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.961{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:43.371{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C2353A3C3BCF61BDB8C19AED31393E,SHA256=FDF503E2520862C83FFED8FE4A567C749243DA81B7C939EBF67D0B5EFDF45E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:44.550{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F358B5B0468F760745E0F21852696801,SHA256=CD0F2A0D6C321DC38921F8DB5490CE27B91D63190A9E9A0E1450952A421D8BFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:42.923{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50285-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000029559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.739{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000029558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.739{3AAE424D-EA58-630D-0F04-000000007502}59084320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.739{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.739{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000029555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.694{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.694{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.694{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.689{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.689{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000029550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.689{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000029549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.504{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 10341000x800000000000000029514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000029509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.492{3AAE424D-EA58-630D-0F04-000000007502}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.488{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA266BB3629727D09F312E8BBDFBA298,SHA256=A739055E780E27ED1091771A2A2FE49DF66DDE2894C6B4C42A052E8006089D0F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.174{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000029500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.174{3AAE424D-EA57-630D-0E04-000000007502}55764324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.158{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:44.158{3AAE424D-EA57-630D-0E04-000000007502}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000029561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:45.593{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1BF78A3B0C4A9F82D06FDE2CC8C0F4,SHA256=E2B0E9F057610352E36C478234ADE03E2CECFABD0BB3939660D11F63A26B6AB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:42.867{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53709-false10.0.1.12-8000- 23542300x800000000000000038413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:45.639{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5328AB348B74D13FD18EB11A1E2733A1,SHA256=B6637CBC3168BCFD797770F611663E2A24F8DABB747E181CD283ADAF207E787B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:46.731{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49CBED08AF74D66829641323CCD4AC8,SHA256=B74AF7DF58F1EB422088D051D7784F5AFE40434A48BCC4D280B85AE1C66E6595,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.383{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.383{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.383{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000029609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.227{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000029594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000029573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000029568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.211{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:46.210{3AAE424D-EA5A-630D-1004-000000007502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.877{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7EBB9D8AD5E93AAAE5AE8E7634CBD897,SHA256=553BD1CE271712F93435FFAD7131E544B4B6F291F154BCB43C27CFA97E2F84BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.830{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EA82EDB2201D6A61623C510C369862DF,SHA256=2DD9593FD70171E6E19C7A8904F5D8E12E36E45E40DE9902135CFC9DB1A96F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.814{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C806AEEAC47F095D8BA02562A541CE5,SHA256=72B62F090073A8A5B1AB693E1C9FADAEC8A228784B4A8597A40816EF9FE575D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.780{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.780{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.780{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.779{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.779{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.779{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 23542300x800000000000000029614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:47.261{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5255D00DB8897AB3ECDC75C5961E3CC,SHA256=7E99CCF4A34ED675F3B44C931AEEB55DC3042196F6658882B23315E7BC332BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:47.151{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB15F99F359AFDD5A211A14F1EABA450,SHA256=57ABD55533404B7F89CE6677BC04B236CD49E2F1FC6369A6D51410C124920910,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.620{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:47.621{BEA5AFC2-EA5B-630D-1107-000000007402}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5C-630D-1307-000000007402}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA5C-630D-1307-000000007402}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5C-630D-1307-000000007402}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.953{BEA5AFC2-EA5C-630D-1307-000000007402}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.812{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1071B4C13E64682D21262669B84759,SHA256=D7B6E9E08AADEDF4B1D0C8AC41DC64346311A3D569FBEFE6D5FBF03C9A448C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:48.283{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FA15B9A49272C03BC56A32C8A315B1,SHA256=2812B7148265EF57EBA39B8F3ED8516E415EBA62B59316B5D9F07BC00D05C900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.706{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=148562877F4251E82D3DBFA83D6902D4,SHA256=39A61417EF77F6E0C004DC79DDE60D48C46E4A290350F4CD2458B95AE408772B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5C-630D-1207-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EA5C-630D-1207-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.283{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5C-630D-1207-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.284{BEA5AFC2-EA5C-630D-1207-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:49.372{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB8D30BC61FCD11D2B4510AF6C201E7,SHA256=9B7737D83B2ACA53CBBF4A5EFC459A84081D0FBD7F11FAFD40A1E7E16FACE57B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.803{BEA5AFC2-EA5D-630D-1407-000000007402}71207116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.624{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.623{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5D-630D-1407-000000007402}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.621{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.621{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.621{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.620{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.620{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EA5D-630D-1407-000000007402}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.620{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5D-630D-1407-000000007402}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.620{BEA5AFC2-EA5D-630D-1407-000000007402}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.617{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.614{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.612{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.606{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.582{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.577{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.561{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.555{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.550{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.541{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.533{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.524{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.516{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.508{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.501{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.466{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.463{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:49.093{BEA5AFC2-EA5C-630D-1307-000000007402}71327152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:50.475{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A73BC16C643F83B859B1031AD751FDB,SHA256=401127A2DA137AB2F41F3AC169EBA856E9091B6BE1F88E402A304FD847521949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.716{BEA5AFC2-EA5E-630D-1507-000000007402}64286404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5E-630D-1507-000000007402}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA5E-630D-1507-000000007402}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.573{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5E-630D-1507-000000007402}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.574{BEA5AFC2-EA5E-630D-1507-000000007402}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.167{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99C4AAE9CEB7276908E67AA2384C65E,SHA256=821F5ECBB40F35746D2495BFBFAEAFEFD6304C3F4F128B7EE6A19334042B8041,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.089{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.083{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.082{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.079{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.068{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.051{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:50.048{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000029662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.755{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E9E3046E8C4F104C68DEADB34733E2D8,SHA256=BADB0836CE1AACA9FAE7B6D646E70A06E08B0B2F2E3F6797EEE5F6B93AC25567,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.711{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.710{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.709{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.707{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.690{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.671{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.668{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.620{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.612{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.590{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.584{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.582{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.579{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.575{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.573{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.572{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.569{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.568{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.567{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.566{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.563{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.562{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.560{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 23542300x800000000000000029638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.558{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796E844C69608D234537A01F6E96825,SHA256=6388F2484F999E9215B3297E98718D1352BDEA86A4E526C2B0B87CC05923B1EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.556{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.550{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.545{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.543{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.536{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.521{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.519{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.510{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.480{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000038513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.906{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5F-630D-1707-000000007402}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.905{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.905{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA5F-630D-1707-000000007402}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5F-630D-1707-000000007402}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.903{BEA5AFC2-EA5F-630D-1707-000000007402}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000038505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:48.870{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53710-false10.0.1.12-8000- 10341000x800000000000000038504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA5F-630D-1607-000000007402}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA5F-630D-1607-000000007402}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.233{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA5F-630D-1607-000000007402}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.234{BEA5AFC2-EA5F-630D-1607-000000007402}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:51.171{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2E0F918F8751A0B2BBED984C253668,SHA256=565443203AF05ECA2C32B53AF2CE4D1868CAE9F32EAF747345B5CF96239CF210,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.471{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.459{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.448{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.425{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.418{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.410{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.402{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.394{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.383{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000029619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:51.377{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 354300x800000000000000029618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:48.815{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50286-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:52.834{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3FE806AC4473D153983B7CC377D790,SHA256=8FBABD9306C4FBC32763E26C09BA98132D2E122C46069F252DB2A2D6646A5B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.705{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.697{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.677{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.670{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.662{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.657{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.656{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.654{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.651{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.649{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.646{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.645{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.642{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.641{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.640{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.640{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.639{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.638{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.636{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000038517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.243{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D13E6E86C549C31735A32B9FC6B2646,SHA256=1DBC4EDA17CD33EAFE8505C20845FD6F2F58355468841EF027E0A12794F94753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.118{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.118{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000038514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:52.047{BEA5AFC2-EA5F-630D-1707-000000007402}64682724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:53.967{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE153569D559392794698D647C60A9F2,SHA256=A0BADE98CF5CA77B696799694CDBAA66DC4D0317111BE073ADA9B7EE416A0BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:53.322{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D423C53932C0A6F19CA467E217E15E67,SHA256=C806AD9F76BB6BBB8B1A06AB3CE7AA6DE70F1826BDEFE2B48DF5BB9926085ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:54.419{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08560ADF7E3C5DF944C9876ADFD707A5,SHA256=7246D2713AF5A38DAD9A00CEC5BA6ACC25016C9BF7D932E2FB38398EAE1CCC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:55.511{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F0862FDA1D096677F16FA953DB2476,SHA256=CA66372FE97FD8F6FB0FC6139513AA6231C2D20C8808AC9DD29665E090AA3745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:55.061{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19418C9180C4DCD394F29EDE956B7497,SHA256=C6B725B5393652F97575F9439BCD7D057E935395B3234E884314A023A7A18A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:56.604{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156BA6AE6729863004CA0590882EA3C9,SHA256=55BCD6CEA4830034267D70E353F035E2B300D207B1777B883CDA51EC41E1D61F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:54.754{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50287-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:56.267{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67ACA450C1E595EA6B87C0D0C81F5F3,SHA256=B35792E4906CEBCD0AFED2652F32955FA54BC245F61CBBA1B60EEBAD97247F67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:54.866{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53711-false10.0.1.12-8000- 23542300x800000000000000038541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:57.690{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D405F9AAE4AFCCA1771E0D2F5FEDE4,SHA256=D5A2F70C5DBCD962AEFCB006D4F572CB95EDE1FC0DC7613AD33E9AAF73817557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:57.367{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C14CAC97AD4922C5E2CC7784A0C19E,SHA256=F02CBD9815FB11BF0C7727E82CE73C11C77C8095A02479EFD7B1A3B88EDF28A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:58.773{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95075D765C25CFA8127B652D285BA4D,SHA256=4D64D7938AB0B5919F93438CF5F8CA6697E378A7B75946578A727FA85149145D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:58.562{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EFD22BB0AAD06A45F28E7128A27C1B,SHA256=411E4353EC2F25934402FD62A20805804E0FF86569C0D8EA10C564829A1B0819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:59.656{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B37BEA0328342970D39F12CDB8AACD7,SHA256=E1D622B034A683A68FEDDD0C600D478C1C7B78200F9C36A86AD043D836117C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:45:59.869{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9998D68164E67B0693878C05D5141CD,SHA256=31240651596F096D1D6CB5EC32235F6510565BFD96F139F7B09192428DA2734C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:00.956{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E94567FC735CA6D63366539EDA4EAB,SHA256=840E2CF38D7CA845813B0BCC2B79FB97283A3F9370D12C896A2B38A0C22625DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:00.735{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17681C95C2EABED42282EE69D983D792,SHA256=8E5D7BA3FF2696EA33033F8D178E2FB9AB2724354B985FF3BA85D75B54B46B94,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:00.328{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8bc5d-0xb17edda3) 23542300x800000000000000029673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:01.824{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6E2C2EAC280C17C7C45983B70912A2,SHA256=E4823D9EFEDE2AE7B5E076D11753229CB590AEF1AAC48F47AAF864F3455619C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:02.929{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5395FAB53F9D7F212A2B425B6CC66B6,SHA256=6AD33EEBCD94CA4FA746222F661CEF6E26470093737A8907B31EBC2ED3381375,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:00.026{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53712-false10.0.1.12-8000- 23542300x800000000000000038546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:02.060{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D5C8139E952AA420F10DB12441632E,SHA256=625F8B073B6B32FE643BCB47494B95BAC8A9F38F4ABD89E7356D705E8A0F7A11,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:45:59.882{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50288-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:03.160{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5F028B58D61392429943F86CED5510,SHA256=448906D57F599164885F5B7C70E8B21D8BB6DAD73D2818727B99BE0EBCC70163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:04.254{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531F3E2A7A51E954150AC7E20B0E64FD,SHA256=BBFC2060E9E86DE63C4493D79B3D283FCC38392CA4F37BD22C69E0DA9BFB389E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:04.007{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8FFAFE8981B953D3ACEB493A8B6478,SHA256=1B634409F334C2B98FC4CA7A0B25D165294EC3CF68431E2D8867B61EF5300F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:05.350{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEC03D7F74938C6CD2DC21487C5C832,SHA256=C6BDC59698703229492FF279DDF0A2F1C2C5F99C538ACD5E6153C4612C95B7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:05.571{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-047MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:05.102{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A7BEE557EA62CD25597CA44ECC127C,SHA256=83A8E747BB119413C61C659782413C4B6FC548DD9E17EE61D1E6F9810535AC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:06.445{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D0CD0A0D1036DD85C06FD92EE07D1F,SHA256=25357C14D9AECB01C166346E8FE4084F94185E7FD6A681950D525E6A65920F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:06.584{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:06.193{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FD534234F0A2D18BD3DA8C1536483B,SHA256=8FAC0B8DF9B55DAD860A7F2BA31ACD18959996EE70F7EC06A44EB5B50B690CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:05.926{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53713-false10.0.1.12-8000- 23542300x800000000000000038552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:07.540{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2F36E5E3A9D2D362FA966AEB89D053,SHA256=3F4A9AC0E5E4CF9CF4B85A7AA4E711E2B658107AC3652601B6F37E18071C53B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:05.762{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50289-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:07.291{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A753718080EF640292502101496AC4,SHA256=D3FD5476C4101B26793006B9C00A6BC844F93882597A948623EAA74759063F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:08.628{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC75EEFCB10293C8F83AB7C3859F97C5,SHA256=EA08CFB4AF98598574DE7E245379FE8CC8DE6A12244E4269D2C5F6968ADBC423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:08.486{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8752E452C58179AC6C1D5D0E5BE58A0,SHA256=CDACCA592005A0529B339FA1AADE65B91C91F225CA108DEE308633BB0D424C37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.735{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.724{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.719{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.716{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.710{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000038569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.707{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41702C9A2918454E7FBD5CBEDC028C0E,SHA256=210D522DF9CFE1CF69DD43CF8F7C408281769D0419029FB22196E156C82D6267,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.647{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.636{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000029684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:09.576{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2976CFF90B01F3E864A22B29410E954C,SHA256=FBA1B5D240655B81857B10FDA6D634557BBB04AE6FD7F7611BD37742F36AFF0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.620{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.610{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.604{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.593{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.585{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.573{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.562{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.550{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.542{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.476{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.474{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000038555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.469{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.750{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E999ACA020D666A83582935117524490,SHA256=6253C616B4A1DFD6A6295F17427839492C1F0DD8ED663B0999921358CD101B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:10.675{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00E0F15E69DC89C009DD606107A08BE,SHA256=387F6B2FA0F76C69AE4CA5BB12DE69A9E624BDF60067F86D97D8FE73A77E41D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.217{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.213{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.211{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.210{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.204{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.192{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:10.188{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000038583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:11.852{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0440BF078CE433C94E093D2E996F6D12,SHA256=7AA66D7E27BAAB06D77EF94922CD054E8DBAAC3C36A112BCA84A3C1164657C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.818{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.817{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.816{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.814{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.798{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 23542300x800000000000000029724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.782{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA814DC1FC16D36500EC4497CC8B594,SHA256=C2F89CBFF17A9AC860FABF802A5ECE02013BF0E43D118F573F5CB6CDCA52D459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.770{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.766{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C5-630D-5603-000000007502}208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.713{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.704{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.673{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.659{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.657{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.651{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.644{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.640{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.637{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.633{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.632{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.631{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.629{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.627{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.623{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.617{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.604{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.599{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.597{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.585{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.564{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.554{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.513{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.504{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.491{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.478{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.459{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.445{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.431{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.419{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.407{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.396{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000029687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.392{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 23542300x800000000000000029686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:11.382{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EBE4C52D68FDF20401CA7E98B16FE1C8,SHA256=D96F05A46440D64337182AD20189FFA26299D2647D4EF871BABE0C64418315CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.944{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D198304E00986014CDF95A5BE9BC70,SHA256=F5C085667904BC4FEB6C8371CE3298DC3D308E6CA98FCEA46401A8A96EF08EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.939{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.938{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.938{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.937{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.937{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.936{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.936{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.936{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.935{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.934{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.934{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.933{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.933{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.922{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.904{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.855{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000029731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:12.827{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6C41CBE84FBED8E8FE8578CA9B0370,SHA256=EED12758F6F891F3FCB752936DF5EAC24120DC876DECA8744616FE08DB55A67D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.840{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.814{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.806{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.803{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.800{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.792{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.788{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.781{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.779{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.772{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.770{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.768{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.767{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.766{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.765{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.762{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.247{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000038585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:12.246{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 354300x800000000000000038584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:09.222{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53714-false10.0.1.12-8089- 354300x800000000000000029730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:10.851{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50290-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:13.923{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564974AC66ADDF325AF16D66FBA9B9AA,SHA256=863FCF8DD9CD1E2D575A19EAE2F183AB1FE876335E9D34549C8869EE60B1123B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:11.011{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53715-false10.0.1.12-8000- 10341000x800000000000000038641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.569{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.568{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.568{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.568{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.567{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.566{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.566{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 23542300x800000000000000038634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.565{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E8EFBB58269EEF7CAFFD3B364688DCA,SHA256=BE219BC0CE84AF60014D58FD992EE4AE1C8D24BAE2B2FBD2A5F06D02DF26B14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:14.015{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC58D7D0B38FDFEC435CB90D27BA55F3,SHA256=7A1FAA7952F8B32F5343B58B4E66A1B4ED97294FCFDB6E074C6C62332DBA87BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:14.455{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9ACA2573B947138DAF7310C68C64F409,SHA256=FC7EAFD960ED2E8C375A9E58ABA81A9200C8D76CCCF219D0A2395B8D7ECF9704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:15.210{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBFE4E8E1098311622F40C30A778137,SHA256=7BCEE89DAA1D101A1584C4AA21F3956867DFD0679562A64F7C0B2F78FD0CCF26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.656{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.025{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE1172501CE8A888AC90C05CAA066B3,SHA256=C33DDA72A223850969F71BF28A46408199C5B7FE80CBF5A76A126CCDCE906D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:16.316{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF88B2F20EA11F7C8B4F0D5B889D2B3D,SHA256=6B7ED8FA4D97EC783451A6DDDE8E93F4D2F6029CC355D2FEB0E7CCD2968FEF14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:13.225{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53716-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:13.225{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53716-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000038643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:16.306{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD9CF276461BA406C60500A3F5EAF1A,SHA256=DB11851FA8E02138EC5337E99EF1F9BF39B74C1DB1F8C38F3CA5C5B2ABAA7BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:17.388{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2B34018AE99C270A1DB55A8CDABFDC,SHA256=FE6E2F88A6CB32E73D07128DD622BFD6D4187478F133CFFE2AA8F061B37A9E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:17.441{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C61ADDB35C349247D27D350390BB94E,SHA256=779A5F8F7A3D7C32A98359F457BB1AFE4EE647E4258CC79406E1B57C7EDB0D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:18.488{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E8DA984BBB7EBB1A372BA21A96D548,SHA256=8D636F7330341359EE51AD12B0A6BFF15D78CE1E60F0236AD53A8EEC4920744E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:15.898{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50291-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:18.532{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7CB83B56EB286D633D8D241A0A1D17,SHA256=D43943B28882AB10BD494DCFC7520504A8AF78AFBDEFB6EA1ACCFA3EBC8AB6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:18.035{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1934EADC9A94B979D21D136FD8785E91,SHA256=C74E74AF7031A1B02C10426E31835E0BE7010524059D4EDB33BC05F469D778E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:19.575{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFC4D4B0402050C8A3058B2AAC19494,SHA256=AAC1C68FF7792892FB6C8D93A55904E00427708A9E7748DDC6BD3306523F02B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:19.624{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A4E50C33028DFE71F2C47776BC8D45,SHA256=C65760F79CFFD0D629ABA628A793AED78FE152164298B4AF39EFEBB8F6CD27FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:16.883{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53717-false10.0.1.12-8000- 23542300x800000000000000038651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:20.663{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70331044DB830D462A4654D51EA1A4CD,SHA256=567C14D6475857275CBC290A09A04CF8767985AB5C74E62D50EF587582179A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:20.717{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8494793325DD6DFC9F34829E8346743,SHA256=7BF561F7B30120A4AE9D09C321AD62D553318856A937F87C273658B12C56DFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:21.810{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6234A634D5FA125186B8335B4411B690,SHA256=DBC020DB973D6C61C08F5D6C2471938121C0AD5F55980AE41E23EC9DAE3030C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:21.749{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7ED54D944ACDF938D3B619C24474EC,SHA256=C921EE858A699F17CC3804FE29B7F2066E3EE28685463C4615FAEC80DD87C37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:22.898{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E18BE72DFCE8DDB8DEFE17D728100CB,SHA256=D852A135B1D0292CA1F57797BA87CAD5A00FEC08E2EA23FDC3E5DEDF78AAD42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:22.840{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DE4099CF768B88629A4B6E844556E8,SHA256=F5E1200F7C738CC4FE8F5E0D9EC02B805F6CB140D0485527C41788E339D006A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:23.993{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913897D098005C9B55DA4958F30BFBFA,SHA256=667BBE6A6D378478BDC530109CD9FB89E654317A617A840E79F8F0E5391CCE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:23.942{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0B929F58196EEDF895C4B2A6168282,SHA256=2AF55E7A871777C76611BB25C59613EE9748EF626CFC08FA8A9F9CEF67FC2E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:21.784{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50292-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000038655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:22.005{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53718-false10.0.1.12-8000- 23542300x800000000000000038656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:25.028{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BC790542AE13019231D55FF9FABCFA,SHA256=255EBE12D813F045BC4593A63AA0C80AC4C607A8E8D8A4C89B1C50ECE3DF6261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:25.094{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E081AF24CDC147AD947956A002F4A2C3,SHA256=DC8185570DF35C5B85FEB2C9F5F2BD761F8CC7B27E6F4B5E71BBACB256E7506E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:26.384{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20E1A0E456BF627FD525365FF7DED22,SHA256=61756E03B743F26ECBEB0C8693DEED4EBCAFEE03B86E7E917AE98653A63E5164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:26.122{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888608C111A58A8F63FD594D310B1277,SHA256=11C02778DE1904E0D8E533E8365C9B3C3ADDF03DB166FDD68B7D0A8FC38BFC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:27.593{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845906D656FA3B026EADD7B4812DC5CD,SHA256=AF6A80914BA5EF6024184383AB8445829974B3CBED803A3098E7DBF4386A9D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:27.857{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-057MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:25.525{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local54970- 354300x800000000000000038659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:25.524{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local62674- 23542300x800000000000000038658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:27.224{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27B0F07D12EA76D7CCB2EDBE4677A79,SHA256=B690090C6729391DD30248D65B98515797B44917B045BBAE44BBF14484EFFA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:27.358{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:28.858{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:28.325{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74AADCC684A0F9A5ADD60F8A4E94282,SHA256=584650AB965DC22CD879DF4307DD05C4201E47EBA2731C24AC37F14DB2368013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:28.696{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E64AC45DF4A8238AC2257A8E19183B5,SHA256=A4EAF521EF02C3166F62FF63AEAA3FF8EB720E2972A778D7DDBE0DD65C585726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:29.782{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDC1FDBB840F359B0DB5D1413B39BB6,SHA256=8EAFF0784F5E3DC814D2938943C00FFD982BB1E8DD9BFC54474B6E34EE2FBB8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.665{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.658{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.655{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.654{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.652{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.630{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.625{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.610{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.602{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.598{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.590{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.584{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.574{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.567{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.559{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.552{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.477{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.477{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000038665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:29.397{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF49E08CC239910B8417FB4E5CE1776,SHA256=B656995F86C86D4015C45D302B519B0A89D2C6763DFE8F60E2D038B2BFDA46C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:27.896{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53719-false10.0.1.12-8000- 354300x800000000000000029777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:27.052{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50293-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000029780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:30.860{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A567CB6DBDFC88BE2D62309AE7F5065,SHA256=BC5C62C4CB8F3246795D9455688831872C8A8B2C0E20666F90E1E104F21CA23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.454{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D29A5FFA27558AF11029D6373F96726,SHA256=6B96068FFEAAAD5CB5369B2B60FD4449BA370659DCF6A3F3DBE88BCE7733CEEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:27.762{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50294-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000038690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.056{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.051{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.049{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.047{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.041{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.026{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:30.023{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.927{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.927{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.927{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.913{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:31.551{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80532A50697AB374D547E5DB54E258D6,SHA256=215962DF31EE03DC1237B95C57BF5C319C55F112C0F1D4A8AEFBA06ABF726B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.697{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.697{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.696{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.695{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.675{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.664{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.637{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.631{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.621{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.615{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.613{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.611{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.607{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.603{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.600{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.589{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.588{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.586{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.585{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.583{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.582{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.580{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.576{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.570{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.567{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.556{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.549{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.530{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.514{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.507{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.468{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.461{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.454{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.446{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.429{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.424{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.414{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.404{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.398{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.382{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000029781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:31.381{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000038718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.670{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.662{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.641{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.631{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.624{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000038713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.622{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18354C4861051BEC13652DE65D0C6A3,SHA256=5B60A6CC45188B10AA37666345DF2E345483765C2CA05E1F123D06ECCBE034BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.620{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.618{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.616{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.614{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.611{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.609{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.608{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.604{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.604{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.603{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.602{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.601{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.600{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.598{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000029822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:32.061{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0756AA6BC1A5D33C365E9BC7241E24A3,SHA256=86A6C2D0F52E14AACDAB5ED52A6648CD49950F0A3604DDDD495F1459F616EA36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.088{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000038697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:32.087{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000038719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:33.702{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3E452CDC3E71E143277348980E588,SHA256=86261380154EA4E9E59F2E1E84DC0D52D996B52A3AE6A1B62BEF77DC77A8D956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.647{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.647{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.647{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.641{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000029829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.641{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000029828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.640{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000029827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000029826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000029825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000029824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.634{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.118{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D7CED8587E9BA946272F1EFFF6F440,SHA256=85572308E9AF4B859B4F29B73955DAEB477BD3B7546839A4851628F8E44F12C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:34.803{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FFB64581560AB7A0F3ACCC2AA2A97D,SHA256=E3AA8587F56BE7316A1719778AF2A258419E415F6591743C94964558EA0F003B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:34.197{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F7B422B8663AE7C553F5B9809CC26A,SHA256=86FBB34C5E35396FE30E3700AFCC9664FC8E4D7C90909F7C7585F4DC2FA80FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:35.903{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA2E141B1990F967C7FD37FEBA7202E,SHA256=8EF09D2F8E3B828CAC2D7119BDCDE1E563A903C3F3662D25548DC17EC8B19EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:35.280{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A159016F0D8B65350EAE1DBF7A01E956,SHA256=74E59F8A94C1C45319CAE407E0577CDFE18211BD9ADDACA64EA20EA10343E4E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:33.023{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53720-false10.0.1.12-8000- 23542300x800000000000000038724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:36.984{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC6C003B520B7338B7B7C0C47213B48,SHA256=D5A612E7B9BAF754BA34E6EB490273041D1CB0236F85364AE95716605717CA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:36.362{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9E4D33EFA5B4988E495FAF661DCFFC,SHA256=CA462A8EB9711E2264D8A8D1EBA4B5BD908A870A2AA450E139C1040519266A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:35.052{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse94.102.61.25-34248-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local5986- 354300x800000000000000029836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:33.750{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50295-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:37.448{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254FBF25A76EF7C9846BD1401FE78733,SHA256=920AF9FD15ABF94B69995556DDEC05BEBD8FC75F035E9EBCA1E5DA59E460483C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:34.821{3AAE424D-DEE0-630D-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse94.102.61.25-51776-false10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal5986- 23542300x800000000000000029840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:38.671{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A582676A3170626EDA3E19683A14A346,SHA256=7FDE09365181C231264D243F80CE79A50D89A6463DE191B509DFBADF07D5D0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:36.947{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal64986- 354300x800000000000000038726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:36.320{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local50090- 23542300x800000000000000038725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:38.077{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5717C5B6F6B088D8CC27602A779A40B,SHA256=2D2C90EB0FE3300291C7B1B33B9924EAB7164D74F98A65CE039BAD202C2E5FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:39.766{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301F2C2864AA76AE6BC2D4E6EF2637E7,SHA256=F6B4E0131B598EC695C70D2961BE7DD553DFDDD5B730056C12500354C1F6D001,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:38.071{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-50090-false127.0.0.1-53domain 354300x800000000000000038730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:37.320{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50090- 354300x800000000000000038729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:37.320{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:7800:200:98f0:a3f5:cc7:ffff-50090-true7f00:1:0:0:0:0:0:0-53domain 23542300x800000000000000038728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:39.164{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422A7CA66C7ADF5D09FD5726FCC1FBD8,SHA256=6A5F9F191C3FE52259D709D131C416A1463A86A5D18400EDAEBC3603A2E9F1DD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.982{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.966{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.966{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000029894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.966{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE459E250CFE23836E15ED5D3343083,SHA256=95F6470D316CD74C9BDE39AE0B3ED3B374A44095C63CC873DED9138F18E465FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:38.924{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53721-false10.0.1.12-8000- 23542300x800000000000000038732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:40.259{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82589C06963FFFB4FEBA483E17B9B54,SHA256=7633BA5A28B7EEA7A70E267E63F6578556F8DCF218292B564B167B72A7086DEA,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.781{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000029884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.763{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000029861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000029860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000029858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000029857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000029853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000029849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000029846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:40.748{3AAE424D-EA90-630D-1104-000000007502}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000030000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.976{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000038736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:41.825{BEA5AFC2-DC81-630D-1600-000000007402}12961264C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:41.825{BEA5AFC2-DC81-630D-1600-000000007402}12961264C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:41.353{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883430D425A32A0986BEA1F8608EA0F9,SHA256=38A9C2B5375FD70A9963B35AE0FBEC87C832298984620FCB1F5357D2E7626C16,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000029976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000029964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000029959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.940{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.941{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.782{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F22CE9D266540F7102CEB3BE11E7833,SHA256=8659582E50EBA2FFA353CF89C626CAE1CD027F821FD3432E025A63941696EBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.712{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E768B83129B389BA42620E07E4432342,SHA256=00B2CECA7DABCD376FBE51011C78228D2E8536231959D409CDF086459C1B473F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.578{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=44C8314D725D3062E63D2E4477E9472C,SHA256=2364F601F4EF7B61D1553735AB5CEA2930821E4275C93825CCC5C9E6A8042B16,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000029949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.468{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000029948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.452{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000029947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.452{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000029946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.294{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000029945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.294{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000029944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.293{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000029943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.291{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000029942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.289{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000029941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.288{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000029940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.288{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000029939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.287{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000029938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000029937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000029936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000029935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000029934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000029933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000029932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000029931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000029930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000029929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000029928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000029927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000029926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000029925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000029924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000029923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000029922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000029921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000029920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000029919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000029918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000029917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000029916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000029915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000029914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000029913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000029912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000029911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000029910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000029908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000029907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000029906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000029905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000029904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.264{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:41.265{3AAE424D-EA91-630D-1204-000000007502}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:38.896{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50296-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000038760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.468{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.468{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.468{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.468{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.467{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.467{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.467{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.466{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0A00-000000007402}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.465{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.465{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 23542300x800000000000000038750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.458{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE70C0A8FFB9228740CAC12604F9E529,SHA256=BF4FA28329A0E2BBE0C3E0350F94B349CF245F7671CF6934DC686E240D932DB2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.639{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.637{3AAE424D-EA92-630D-1404-000000007502}56845316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.637{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.633{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000030051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.489{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.489{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.489{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.473{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000030011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.457{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.458{3AAE424D-EA92-630D-1404-000000007502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.190{3AAE424D-EA91-630D-1304-000000007502}55084232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.190{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.190{3AAE424D-EA91-630D-1304-000000007502}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000030001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:42.112{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DD99F90CE78B6FDD6BB16318AB017E,SHA256=D014A54E2C7FF138A27B53F81443CEA9C34682CD782D044AC61127A9436AD1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.156{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F26DFBFE8759F1701392657736CF666F,SHA256=69AE37EC78474B00438B63BA8DE3C7C4ECC5F0184E23EA18225E559087C0A5FB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000038748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000038747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000038746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\AddressTypeDWORD (0x00000000) 13241300x800000000000000038745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\LeaseTerminatesTimeDWORD (0x630df8a2) 13241300x800000000000000038744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\T2DWORD (0x630df6e0) 13241300x800000000000000038743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\T1DWORD (0x630df19a) 13241300x800000000000000038742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\LeaseObtainedTimeDWORD (0x630dea92) 13241300x800000000000000038741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\LeaseDWORD (0x00000e10) 13241300x800000000000000038740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpServer10.0.1.1 13241300x800000000000000038739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpSubnetMask255.255.255.0 13241300x800000000000000038738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpIPAddress10.0.1.14 13241300x800000000000000038737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:42.061{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e9110c6e-aaa8-4e4b-8d11-8674554bc97e}\DhcpInterfaceOptionsBinary Data 354300x800000000000000038765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:42.229{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local56207- 354300x800000000000000038764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:41.837{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x800000000000000038763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.561{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C0EB8F4D999C7B94BC67BF984FDDA4,SHA256=3DCF00E3DDD9EE72880AE0E79E299253BDADFAB7BD85CBD42DCB8D2B4EDBFB72,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.997{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.997{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.997{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.995{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.994{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.994{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.992{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.992{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000030064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.975{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.976{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.223{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACA0BAAE1E6FEC4CB5B4C6846925626,SHA256=C8FD20671EDC4AABEF5111BA9AC9D7D4B215718BB2AAA87FD3B8A3ED41AA5443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:43.223{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A11DBE9EE6274F7255307C006AEFF24,SHA256=08C1F7297DF0AF260FB02F306BBF912145C895359E5FF4DBD4F30D9C10B98279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.071{BEA5AFC2-DC7F-630D-0B00-000000007402}6404752C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.071{BEA5AFC2-DC7F-630D-0B00-000000007402}6404752C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.648{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10914BB0B03E9D72177BD2BA602DCAE0,SHA256=27ABBD12D3EFEA6E234A60A2530E2DFBF68E7E2E0DDEB3C10866377EA688BECA,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.898{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.898{3AAE424D-EA94-630D-1604-000000007502}48081084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.882{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.882{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000030163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.788{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.788{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.788{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.787{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.787{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.786{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000030157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.711{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.710{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.710{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.709{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.706{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.706{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.702{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.700{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.688{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.686{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.686{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.684{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.671{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000030124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000030116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.655{3AAE424D-EA94-630D-1604-000000007502}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.373{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10949C81672D0630DAB1A5447F8DA38,SHA256=BFE8DBC1509F42F5ECAF4B173E407C215BA43F65E0EBF159628FF81B8F1D4427,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000038779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000038778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000038777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000038776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\FlagsDWORD (0x00000002) 13241300x800000000000000038775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\TtlDWORD (0x000004b0) 13241300x800000000000000038774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\SentPriUpdateToIpBinary Data 13241300x800000000000000038773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\SentUpdateToIpBinary Data 13241300x800000000000000038772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\DnsServersBinary Data 13241300x800000000000000038771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\HostAddrsBinary Data 13241300x800000000000000038770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\PrimaryDomainNameattackrange.local 13241300x800000000000000038769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\AdapterDomainName(Empty) 13241300x800000000000000038768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.093{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\Hostnamewin-dc-ctus-attack-range-146 10341000x800000000000000038767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.078{BEA5AFC2-DC7F-630D-0B00-000000007402}6404752C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x800000000000000038766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:46:44.078{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E9110C6E-AAA8-4E4B-8D11-8674554BC97E}\RegisteredSinceBootDWORD (0x00000001) 734700x800000000000000030108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.147{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.147{3AAE424D-EA93-630D-1504-000000007502}5148628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.147{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.147{3AAE424D-EA93-630D-1504-000000007502}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000038799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.876{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53957- 354300x800000000000000038798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.875{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local62674-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.875{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local62674- 354300x800000000000000038796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.875{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:b800:200:58f1:a3f5:cc7:ffff-62674-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.875{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local65335- 354300x800000000000000038794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.874{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53368- 354300x800000000000000038793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.874{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53368-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.874{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local50951- 23542300x800000000000000038791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:45.736{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B698E585547656299F0A4F20B56DE843,SHA256=3D31DE803BA9A50B499AB32C3C7F65476AF5D24482475B33739A33760A15A634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:45.530{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47185BC99EF771CCD7D119887D47C69A,SHA256=4A61C1D253085CBFC123B3A7BAD06193F07BF6ABE02250CCA31D618F11856A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.870{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63177-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.870{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63177-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.869{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local64384- 354300x800000000000000038787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.868{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63176-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.868{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63176-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.866{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63645- 354300x800000000000000038784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.866{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63645-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domain 354300x800000000000000038783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:43.856{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local54523- 23542300x800000000000000038782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:45.179{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD069C25EB22151368FCA3BDD133695,SHA256=9D149A7274627C0E9F320244B5747699D63365F8C0DC87239E445F769C8660B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:45.070{BEA5AFC2-DC7F-630D-0B00-000000007402}6404752C:\Windows\system32\lsass.exe{BEA5AFC2-DC7D-630D-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000038802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:46.835{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A81D06E974D41596F1FD73476DBD2F,SHA256=CF5B7476B61DB3849CC230E95DF1DA69D991B2E46448492B8E63F450B25D3D40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.847{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63178-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000038800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.847{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63178-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 23542300x800000000000000030220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.631{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C595DABE7F86CFB570EFEFEEF93F7115,SHA256=890BB4D8B84CF90BFB6F107F9EAFD39F5CC47227ADC43E921C00357C8148A8C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.413{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000030218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.413{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.413{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000030216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.241{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000030202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000030184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000030180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000030177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000030174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.225{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:46.226{3AAE424D-EA96-630D-1704-000000007502}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:47.701{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C36523BFC179D258569C928CB63D144,SHA256=F619D9B3748D2E90E9CE50E53965DCA1C6E2D944D04B0E86CDE5B28D0944AAEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:44.940{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63179-false10.0.1.12-8000- 10341000x800000000000000038810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA97-630D-1807-000000007402}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA97-630D-1807-000000007402}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.632{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA97-630D-1807-000000007402}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:47.633{BEA5AFC2-EA97-630D-1807-000000007402}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:44.825{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50297-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:47.311{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D912B8A2CD3CC23650831279672B703A,SHA256=F270FEB2846C98668F53992CFE6588D2F7893F1908400EAD884ACFC58B210505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:48.805{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23220D6599827B8B8E8B11C5B003E3C7,SHA256=383FE9F98810CA4A8FCEC76A0FB26B3268E0B91CDEC24F644D4A36750693889C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA98-630D-1A07-000000007402}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA98-630D-1A07-000000007402}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.969{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA98-630D-1A07-000000007402}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.970{BEA5AFC2-EA98-630D-1A07-000000007402}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.656{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=46C29A3E4ADEC1E2EF5A68F0B1993E3B,SHA256=9B4D4C3CA81E1C9AD81D89FDCD0A7EA673D1602ED7504B1AF0394C2EE999EEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.461{BEA5AFC2-EA98-630D-1907-000000007402}32925392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA98-630D-1907-000000007402}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA98-630D-1907-000000007402}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.304{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA98-630D-1907-000000007402}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.305{BEA5AFC2-EA98-630D-1907-000000007402}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.211{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1645A9F93484E04533EEEF94812C8E50,SHA256=1F9BA9AFF4F8BCF5C2E5BD8F52FBBA5EDD1AD1E1C5674353804A6EE606FA492A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:48.023{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49622067C859CBD4D3DB2B34891D1FD,SHA256=BBB52DAC862545506F36E6BE1AA881A2F56651207EA4ECBF85B0D8138FE27CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:49.895{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8A2DD91D1A9F388DB3B82FAA88D1CB,SHA256=E38659D01F4EF0ACF3891875F83BEFF9819042ADFCD1360DA184444C1E8A4CE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.992{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.988{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.987{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.985{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.979{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.966{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.963{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.788{BEA5AFC2-EA99-630D-1B07-000000007402}40404068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.641{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA99-630D-1B07-000000007402}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.639{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.639{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.639{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.638{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.638{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA99-630D-1B07-000000007402}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.638{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA99-630D-1B07-000000007402}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.637{BEA5AFC2-EA99-630D-1B07-000000007402}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.629{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.619{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.617{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.615{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.613{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.587{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.581{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.569{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.562{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.558{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.549{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.541{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.532{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.525{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.517{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.509{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.467{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.464{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.125{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB860E5CB696B17DE761E324DE986ED,SHA256=B841CA39B1A19054A6778957309E5B8133ECBA76CD788922C5CA022C50F2AE73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.716{BEA5AFC2-EA9A-630D-1C07-000000007402}52246444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.688{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.688{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.688{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.687{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.687{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.687{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000038875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.566{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.567{BEA5AFC2-EA9A-630D-1C07-000000007402}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:50.267{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1E9AB4639A72DB5A682C87D6697BA3,SHA256=CD49302269002B66B401F6EF3DEAE8FD135225C2FD7039A4EB46E49E6E7829A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:49.949{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63180-false10.0.1.12-8000- 10341000x800000000000000038901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA9B-630D-1E07-000000007402}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EA9B-630D-1E07-000000007402}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.884{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA9B-630D-1E07-000000007402}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.886{BEA5AFC2-EA9B-630D-1E07-000000007402}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.768{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=343E2C0CABEA82090056CF1AE9005D61,SHA256=2309A24E6A5FB853F50FFD273061FC495FEA39A6C889996689A4AD9D2C46506E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.396{BEA5AFC2-EA9B-630D-1D07-000000007402}8765472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.380{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCA8384DF1C9B733A3594774A803B1A,SHA256=152C12950BCE026E5FA9903BC97BD075F5C6C6D85D074B91DBC990B6C9DC3E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.758{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CADA21B796BA609867964945EA5801E9,SHA256=11FD3F307617C51CB0847426672F5B4D2CE98D874B810F469C53322355FAFA53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.685{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.684{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.683{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.681{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.667{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.653{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.617{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.604{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.590{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.584{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.583{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.580{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.572{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.569{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.567{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.563{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.562{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.561{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.559{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.557{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.555{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.553{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.549{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.543{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.538{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.537{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.526{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.506{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.500{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.491{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.463{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.454{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.446{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 354300x800000000000000030235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:49.861{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50298-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000030234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.438{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.426{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.422{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.414{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.406{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.399{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.391{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.388{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 23542300x800000000000000030226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:51.003{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E65C57D294147A8CC4D01D2F7F77EB,SHA256=BCDC664A5539811F34C94F89502EDF668E175C80515DA6169B516C597EAFA42F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EA9B-630D-1D07-000000007402}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EA9B-630D-1D07-000000007402}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.239{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EA9B-630D-1D07-000000007402}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:51.240{BEA5AFC2-EA9B-630D-1D07-000000007402}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000030280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002ddaa5) 13241300x800000000000000030278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0x6e92ab0e) 13241300x800000000000000030277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5d-0xd057130e) 13241300x800000000000000030276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc66-0x321b7b0e) 13241300x800000000000000030275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002ddaa5) 13241300x800000000000000030273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0x6e92ab0e) 13241300x800000000000000030272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5d-0xd057130e) 13241300x800000000000000030271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:52.649{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc66-0x321b7b0e) 23542300x800000000000000030270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:52.147{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CE364384FE2F269D2928A55F9176AF,SHA256=650CD698EA9C0ED35756285C42A28ADB2A70FB48C251F41519BE4636D504BDFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.616{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.607{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.582{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.571{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.561{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.556{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.551{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.549{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.546{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.543{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.541{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.540{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.536{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.535{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.534{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.533{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.532{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.531{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.529{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.481{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C9BB27CEF1E8625294A0619F47C30F,SHA256=CBC72C3FC5CE703FA46895ECF5FBDE5DBA618C62CD3FE7BFDFA881797513D87E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.011{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:52.010{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:53.560{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFC905B15CF30455ABFA72AA7C33529,SHA256=D0FC589E8FEC976B8562502B3D960E7CEB0526272E044A58494ECE010D5BB481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:53.305{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B40C687235BC2DACDDA9DD42A6327D,SHA256=84354DF18AC0EEDF393053A64F9B344528FB4D5AAC54EA84958489620E07F513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:54.658{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBDFB394F045B2CF86CCB0ED093F423,SHA256=CF770DCB6766CF7B667EC5F06E4F861132770EB4FA7530871A59CEC37A89555C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:54.392{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D314CEC2AF6CBD293DD8CB1EA91F077,SHA256=6198223DBBE6BCFF0104E21B321C49C1524A017D5F0E6DCEF9FE91083177D97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:55.764{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77F7229284CEE3D75D54F695ED46AA1,SHA256=539DADA64276793B575FACD0E700579DCEB3A4F4C6D52966A41E3B0654686476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:55.484{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B3805D88EE74C78FFEE9B5661FBAD,SHA256=442078EF6D8D1C273BD0DB8B74307F0AF52B3AA9A68531B4DCA0238712913C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:56.885{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E97F68C7A46CB24F9A5A4670572CD02,SHA256=A68964064986C3E11AB580FF16690DCBDE88E81F1B47F9DBF3A0E657C87D5915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:56.854{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881E9692FE973E5B90053B3160C608D9,SHA256=5800C7C34BA81AEA08ED2AED6626407B5F157B5C2F79D2E670DD6FCD6B8BAAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:56.578{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6107E8E4DC694DF8F2B16D3AB55FC61D,SHA256=AD69135E5FDE6FD44B75593C144D8CCDD8579148ACC5549DFDF7798B677BB9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:57.951{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46605501E40B9AC6E14B47FA1C6EE6EE,SHA256=A4D399BF9D4E836027933BCA21FFA57CD6F9DBBB9EAD6E3FFA15CD6BE2240874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:57.669{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43761449C01E69AB0F6F45CD2602E79F,SHA256=75F1466943A366B6AB7E69934E31B6D91DFAAC8AD04D87A4FD185F7DF93264E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:55.834{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50299-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:58.660{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEC9D3D7FDCBD8D4F024D2B1A0F4CCB,SHA256=199DEF4351D7E17C92C24812ECE49D8130A68834DD201E1CC610015203A6C5EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:55.884{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63181-false10.0.1.12-8000- 23542300x800000000000000030290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:46:59.736{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88ECBF58C28EFD2B9198A92EAC775CF,SHA256=9F5B06711003A17A22A29B10B1EB220B8EA79E9336090BAF090EDE3C214C0148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:46:59.041{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3797E52576EC4F0C02A6BCEBA2CA807F,SHA256=3E1D23D7FFCC044AFF82DAC5062C6D68E9F7EC3F703A0A4D063E199D547799D1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:59.580{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000030288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:46:59.580{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000030291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:00.947{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC487868A046F6738DC51BB8E0D0ADFE,SHA256=D231D23434D99E1C1B114733AF76A5AB98DE7EBD41FC3BF850B90070E00069C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:00.115{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFBC6B40CA71E372BB452734BA87D87,SHA256=AD1A556F6C89EABC5F425BD1EB9C943859EEE00DD79B89C6598B4CAA2B494F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:01.205{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83975160A4599013CC990111985D4A37,SHA256=7E664ABA07381DAF719E1503E14BE3D74FA98D46C69DFEEF2EAF819B8C6B3B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:02.309{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BE94AB0A6FA61A3BE70836DC3857BC,SHA256=2D555A4C89D8260ADAB7354C9EEE0C1409E57D587FFC79B563FF8195D6C384ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:02.040{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243C7314C0AEE9FE0DAC5CF41DDE8C7C,SHA256=A22C65E3B24F3477EE86B0FADC71168C782E2E314C026EC0B70DD930EEEE3B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:03.397{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1900EA90A65C9B4283DB9D9017117A2A,SHA256=9DE3784FD38F0476B9F55D0074531259B1FB2CCC21B5AA603747F041F52A5B53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:01.812{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50300-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:03.132{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F10791700E18D2885F1C78DC417F41,SHA256=37F8DF43C90DF8F44DD356A809EC81E7F7F25AAE40D13CCA12CE503A7B884339,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:00.887{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63182-false10.0.1.12-8000- 23542300x800000000000000038938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:04.490{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB7B01FC54031BA122C84DD9E1B2799,SHA256=8259D0E403F9F1F7A0351C2E9BB83C42C330B2DE680DC006CD7642A174754575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:04.321{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FB496BCD566B6D90FDBDDDC8956099,SHA256=49BD6DEEFBF8EE3E1807022FCC67C259E8C3D5B841978878801450BEAD3A90BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:05.578{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131F80A18944F52C2C8A9F990C62FB53,SHA256=FD511CA4A60D648EE7230ED84B2EB83E7CFB8338B39FAE35DFA51539C6821BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:05.406{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3082505E08037732C10F7F8FF6FCAC,SHA256=6B6AE61ADBA2C94B1FC66AB17464CAF8652296CDE02C9A6CF310519F48D1ADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:06.680{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6C4D32BB4057A8F3F5FA0CC7FA84F3,SHA256=9899FA3F09864D73CDA03BB845451CDE51120FF715C7B57DA25CBA788FCD4F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:06.499{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46F5E7ABEA8606C787406B8BB98A274,SHA256=4640599CC4B62896D854014975DB86A40AC2591AE447E021791E878547362848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:07.768{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34169F27C9701CA1D22854E6F5484AB,SHA256=E3A7DC9588218986D5690143DFED4EEFC191BEB44CEE6A66602AF5460A35DA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:07.594{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9219900B237B7B3DE2EB22D377D6E7EF,SHA256=B558DDB340FC56E48956B56310944FEAC34D164E9CD82C795AB1963FD1C98DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:07.112{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-048MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:08.868{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58F78F22F14185908197317B74BE163,SHA256=356E021046C1695E6E5B48C2A512B47C5BE5FCAACF84F405B9E05F5DE22CBE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:08.803{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741DF723D17D76EEE73085E74FCCCC0D,SHA256=110C6FC6D5640D3D8633567A01C1F2AECB3EA4465C6E994B921D91DFFB487037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:08.113{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.921{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDEB71CC15860963FC62A1ED5374BF3,SHA256=86068DF81BC445239026A1AF25DDBABAEA18266C32AB98177DCC56093E66A9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:09.895{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED860A78E184F3923F80F6362B87A367,SHA256=4BD0A1E89346699D2F30D6A63A5DB6E714E3BB8D3F069E2D654657ECE1F96FA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.701{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.693{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.690{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.688{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.686{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.648{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.639{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.619{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.609{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.601{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.588{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.579{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.566{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.550{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.531{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.513{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.477{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.470{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.466{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 354300x800000000000000038943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:06.885{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63183-false10.0.1.12-8000- 354300x800000000000000030302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:06.912{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50301-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:10.989{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60E8E274BFA07E796370A96EE20D3DF,SHA256=77CC8C28CDBAE7C6D7310649C2240CAB3E98AA9656F704755271D13E43392291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.150{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.145{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.144{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.135{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.130{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.117{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:10.114{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:11.001{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178B532AD48A29A08F53109CE2022363,SHA256=16543143B67F45EF493D99E399E4A556DDFB01DF0306D93ED068A863E9CF4E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.787{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E03694A0B5F5B15BA85475AAFF21DEA7,SHA256=A79A89497371F04E06280B6F6DCD22004457936CC6D48B5F9D8AC4F20D57B029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.722{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.721{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.720{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.716{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.693{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.668{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.619{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.609{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.598{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.596{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.587{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.584{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.581{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.580{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.574{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.572{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.570{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.569{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.564{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.562{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.561{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.557{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.551{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.548{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.546{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.532{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.515{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.513{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.501{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.467{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.459{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.451{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.443{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.427{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.422{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.411{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.401{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.392{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.381{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:11.378{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 23542300x800000000000000030347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:12.295{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8A16D8AC9DC70A6CF925A62941EE28,SHA256=3DA7F85E58AD642A53FA27E33974DBB909EDD5F73EC09A89377D27BAEEE67682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.783{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.773{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.739{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.732{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.720{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.714{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.712{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.710{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.707{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.703{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.701{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.700{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.696{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.695{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.694{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.693{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.691{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.690{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.688{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 354300x800000000000000038975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:09.248{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63184-false10.0.1.12-8089- 10341000x800000000000000038974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.170{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000038973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.169{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000038972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:12.094{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C86F7343075130CDFDB496FFBD1DD65,SHA256=B7964310678112C2671742EFE983887323499E333CA34A80B8899F73262DB107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:13.375{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7663AEED35D52A0A3FD94C3216FA59,SHA256=7359735CDC6EDC2C2CC8C86A1DABB1ABB79D79ADA8548649E854E45F66D3ABD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:13.166{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2ED788909F798FAA818375D43B256F,SHA256=5F43576A85FB8E6500BB51E6474207489EF5F06813B3F40778F29B8FC32515DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:14.574{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4722BC356272950027163E46893A4CB,SHA256=B675BD7EEB500CF4181CA429456455B7DFBFF1A07765C88169B6FADB15723543,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:11.929{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63185-false10.0.1.12-8000- 23542300x800000000000000038996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:14.246{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695DC0C3F0985EC98CF2EDA84DE00157,SHA256=99F39FF3BA285AE538CD5AD7E7D6E4801960DC6131C51619227164B795239401,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:12.818{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50302-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:14.476{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2309E414D91C0A44D3B1CF58BEE0AFC0,SHA256=46A508086596CD9450AE24FD21D8A8BF3DB820A44ECB9D83DD98CCBAAE076254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:15.335{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204EF3AA4D050D5C0B21F75FA0638623,SHA256=5B7014CF4FA898B3D29F938D607FE326737F9E61111E3AC3DD25A34C0BD54E02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:13.238{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63186-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000038999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:13.238{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63186-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000030351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:15.563{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA52B9CE694F7A31A3FE26172382622E,SHA256=3A4631047E8F7CBD18A3B748C231078762DCAFA1E4A01FCB79106DEB33D4D2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:16.654{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E119E84A3AF1E735B1917C88BB1871,SHA256=020F3D81EAADE730F11EB75EDAFE725B193C5D56096103FFD0FB76F9EDD7410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:16.425{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1334D23148D087878E14C892079AA676,SHA256=B4995879B294738A202348B27FBBA40A554B59C8B5BF8DD8C32951CD213469C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:17.855{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A7099BC5A6C6D283DF5E89826DD31F,SHA256=0AD4AABD7CF5DC5B79316C3B3BE63C27C5B7F6357FB59EE86A5E9D3682CD18B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:17.517{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D862E86B2C37681B11B368D0CCA12C44,SHA256=AF7E4D05C72A9236116331FFA3165437DB890E40447957A1E0186E49CBA23ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:18.604{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62FAD0D2CD6E3D2C983E4171AFD8CD2,SHA256=51C7CE123552E3C379A55EF681C856F980C6684CA89BAF0CAF1B8219DA38F8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:18.353{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6917F5564AADD5AFE8CBE1E04E1B97A1,SHA256=F22FBD203E2B03F336611CA7D40C5E97395DD8970596BD9B21F2BAC3560830B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:19.705{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02273450FD81A9EA482F8351E249A8E8,SHA256=98A3B9886116FDE9AE225B5F1933F6C9E8B1C7EC8960F90E8AF3B10A1F3A684D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:19.060{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B466979609262287C3FE5BE03FA4A643,SHA256=9F8688019090928FBAAC0004D87064D3FBBDF0EF5DDE1E9EA08B88C092000CDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:17.888{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63187-false10.0.1.12-8000- 23542300x800000000000000039008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:20.794{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043BD8AB1244192F46B3D3DEE0AEDCC9,SHA256=621D7B0A3699CE390D2655E7A2C2354F71145F2282CB04245650E26D87764B37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:18.722{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50303-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:20.147{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618BA89D4CC8359798ADC3CD1A7B5492,SHA256=0F9D977B7558D8B65E1F5336BF0E12DC0A9A1226074AD0380254B7CBDC6BD18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:21.888{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FCF94ABF7CD8707D3C15A9769878D7,SHA256=933D8AF96D9F33B2C68394EDA481CF10FA7994348ADEB4E845A2FF958FA0EA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:21.237{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AE67308E9A1DF15A6C382ADD563C39,SHA256=7900C76E7B6B8A246E8F35A2FC0E430DECBFDBC15671C4C4208CC29323E56593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:22.993{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813DBE5D91A820CB0CC4B0095CFFEFDC,SHA256=F9A2C9EC9853E2DE8DC9022C9024C127D2F72008B5E8214CFB987103D924C559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:22.328{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6C70AD1A3AEF5836B3A78FAEAB1EE9,SHA256=F5707AD60449437B4E1A93904A3C4270E8C997AEDB731F06494105FDF1D1D683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:23.406{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5972CC26FC51D76895DF0DC5EC72E03A,SHA256=A8FDF99000D3703206009EE84320C1465C22E429C84C2084B19BC55571FAD3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:24.500{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEDD997ED09A654AA504434B55B3792,SHA256=1CB8BB5C28A643675D4ADDCB5741B79062A8DCA5A5E0994A6D348269EFC5BE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:24.098{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30CFD74ACDC4647DA6CCC07A05466BA,SHA256=534BB3BBC96C5B1136194BB75D29D7FECFB47112A1D21016735EAF15E744939A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:23.898{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50304-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:25.595{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1203AEFA0733BABE40517BFE1086E857,SHA256=02C80CB718011B145F3CFA97C83291211FCE90289AAF13F13EA27D4A7118EC9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:23.826{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63188-false10.0.1.12-8000- 23542300x800000000000000039012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:25.184{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B568CD46073864553283005C18E80F00,SHA256=5A3B707556D86734E2887D0D754BF11FBD75C3BEFE00B2424C5810C30E84482D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:26.688{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37837B4F7249052A0B33A1F146F8FA2A,SHA256=6DD143E9032E3F317EFBB006BA3A5531794A4D5521ACA20B8805B66344B67DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:26.274{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B044091E04D7D9E46DD4BFEC0C5490,SHA256=00BD7512CE70BB0085D283F8AF9C09648B29D05F0C8E659906F9CBA17D012B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:27.777{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C158543F5C6D94FC0FC745E9E06574C6,SHA256=742EA018C9932AE8D40768ACB77BAB42B1D6E5D9CCF18EAE90EDA7BE3681C894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:27.368{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC977BB173CE9B3DB22E351BCCDE053C,SHA256=0605E30E91C2ACC62E4B2FD63B4595D0C64D418A0868C5BADBC1778C37488A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:27.385{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:28.461{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBC8288DB499EA68CD7F3D9458419DE,SHA256=12BBD39154AB88226CFD311F64EA6499B4B3162B82041739DC2A602DCEBE5140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.646{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.641{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.638{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.636{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.634{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.608{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.602{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.588{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.580{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.575{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.561{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.553{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.543{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000039024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.540{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F17D97EC37772DB2B9262F3B496EBB,SHA256=86DD5D05F05325C67997BB94A337B00CBCDDB8D098B1E811A474BAE680FDBF26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.536{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.528{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.521{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.482{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.479{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000030367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:29.092{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A551B3C7EFA3C158F50684CBBAD6E246,SHA256=8A7BD8A5D25E8D4FE7818F2734094D703891B94882179B22F851933F3F67E114,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:27.079{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50305-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.370{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-058MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:29.009{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.898{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68819F53B54199F85B017805422C49AA,SHA256=AD174A554517E69C0F5675E3035C8A2C1FA50BDC65F86E61127C57EF12E8862B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:30.078{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E454B71A30847E6A65F56A7779AF5EE,SHA256=67FE54E62D73C5FABB2F6C1E0F7ECC85937E4B76F70C42AE7337B0D20625669D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.374{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:28.786{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63189-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000039045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:28.786{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63189-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 10341000x800000000000000039044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.121{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.115{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.114{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.111{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.103{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.075{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:30.071{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.935{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.935{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.935{BEA5AFC2-DC7F-630D-0B00-000000007402}640364C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.923{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B58865CD1A3430BF223D7CF74D0A7C,SHA256=D8108F772FB27F91D0A7EF9C30FA6F233D08DA1F707384F0FBF3E990D582A3F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:31.921{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.790{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E9D5-630D-F803-000000007502}4604C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.789{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.789{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.788{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.758{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.747{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.716{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.708{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.699{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.694{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.691{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.688{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.686{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.683{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.682{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.660{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.659{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.656{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.655{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.653{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.652{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.648{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.645{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.638{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.634{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.630{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.620{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.595{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.591{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.578{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.526{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.513{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.500{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.486{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.459{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.449{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.442{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.433{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.425{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.415{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000030370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.411{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000030369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:31.164{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FE3DFA4F86AA3A3AE97B86B8CDBACB,SHA256=BBD03F2BBDB317D748CCBC80D7ED48BE61A2DD53006C94582231084AC77A0A07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:28.909{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63190-false10.0.1.12-8000- 23542300x800000000000000030412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:32.455{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3E7097D72DA3F849B0D30837CE5AA8,SHA256=81EDA6729B953BEB7CE729143DB75B6047C758F4581BB533E7D49D0EEA7E6BD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.915{BEA5AFC2-DC81-630D-0D00-000000007402}9123812C:\Windows\system32\svchost.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.739{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.732{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.707{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.701{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.692{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.687{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.686{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.683{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.680{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.668{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.666{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.665{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.660{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.658{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.658{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.657{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.656{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.655{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.653{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.141{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:32.140{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 354300x800000000000000030411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:29.772{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50306-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000030462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08,IMPHASH=9178CB7144790F36275451518A7203D6trueMicrosoft WindowsValid 734700x800000000000000030461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DA,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000030460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000030457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 734700x800000000000000030456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000030455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.721{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7,IMPHASH=5CFF0D3EC414472191BC623FB107BCF1trueMicrosoft WindowsValid 734700x800000000000000030454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.705{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 10341000x800000000000000030453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.705{3AAE424D-DEE3-630D-1400-000000007502}8641136C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x800000000000000030451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x800000000000000030448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000030447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.689{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000030445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000030440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x800000000000000030432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DAB,IMPHASH=8BFED2C4A0A233671E2426106589658DtrueMicrosoft WindowsValid 734700x800000000000000030431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x800000000000000030430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.675{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2,IMPHASH=20C3512CFF09FABFB994B8B9DBF73B4FtrueMicrosoft WindowsValid 10341000x800000000000000030425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.658{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.651{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000030419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.651{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000030418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.649{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000030417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.646{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000030416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.646{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000030415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.646{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000030414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.645{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000030413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:33.628{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC8E478A77900ACED4258103E1253DA,SHA256=AAF7DD8E6B48E3CEF27A09C5704D6030781A97DFA62B25D852A3A273C3DA9435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:33.119{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33F5EC0BE275A1ADABA379468B3992E,SHA256=C8B51BFF5FC68AD2A97BDDACB8378A3183F71740C72DC7235297BE83BD022F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:34.310{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80049E0EF4B71696F0B66C191F056881,SHA256=09DFC56F57B84B9D0D0940337E83AFF0714C79310E4330DBF4974A7FEFEB3834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:34.526{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:34.526{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:34.526{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:34.525{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:34.525{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:34.525{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000039081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:35.403{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DACC5D6829E7023444F8A73AFD27A3C,SHA256=F699487981F5198F6F322D522B5620DD02C83370E4EE66DB76C5C485917DA9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:35.163{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180314E37159307780242C4D04BDB7E6,SHA256=3DBDCA3ADE173D5D6224CE8E2CCE8B4A89D6AED53C89A4CAA11444565C2284D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:35.163{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35A29C7EE177CD77073F004A6CD28E40,SHA256=9A2582E69FA80515C0DEF7D58005569C888A3F54EE2A0BB3213F8196B702E2C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:35.184{BEA5AFC2-DC7F-630D-0B00-000000007402}640364C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:35.184{BEA5AFC2-DC7F-630D-0B00-000000007402}640364C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:34.850{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63191-false10.0.1.12-8000- 23542300x800000000000000039082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:36.484{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727BDD83F2CE55FB3C16EC71BE645B40,SHA256=6A18D347296DDCE40323FBEEC5F8192E3A862CD29CD9CD750866A10B003FE91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:36.248{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BA58324E46D36EB62784902796444E,SHA256=55296BA718808DC19394A4EB4E724DD80726E1B13FCA1D9A3276B54AFE689200,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:34.962{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63192-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local135epmap 354300x800000000000000039085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:34.962{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63192-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local135epmap 23542300x800000000000000039084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:37.585{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42E75DA2C4723B917F4C76814B4E3DF,SHA256=1BFD14AE98374E4C1126E7E242BAEDBECFEEDC1C5EBD96E54E65085CC0A91656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:37.336{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013286CD210C3ADCF6D26182AE4A0393,SHA256=48F2934A8D85D53622E4D79E6857BB515B26EF861A05AD1833940869D9EA4107,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:34.810{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50307-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:38.664{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0909474DB5D2B81B31E0FA826C1DA285,SHA256=18D17670B3AE7BFF189E8ACD29C23A6B02C6ED1CD3DAC71C250687E88564EE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:38.423{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C83FCCD0A1DF4E8A8ACE5B45B1F450,SHA256=BD90199AC6765451B840EFEE23B9F19A7E0315001220886190C3CEDE26F9FAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:39.755{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E30C80F1D8CDE3550B2CE6E9CED639,SHA256=2243533E3B3BBE526C3225060F37FD5B0AE19F3B8A87F6A96AB4748E767B68E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:39.610{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D720DD5D304307B9ED17990328094E91,SHA256=7AB7C13B67A37E9E96D2A18F935822C8136048506F5F6CFB7BB892BD5086BF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:40.852{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41346DF14402A366849578B389C3C418,SHA256=538A765DF593E0912FFDC50A6BD8F05D97FDEF35A7E901D07708E91C2439D5FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.944{3AAE424D-EACC-630D-1904-000000007502}30122968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.944{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.944{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000030524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.774{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000030515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000030500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000030488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000030484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000030482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.759{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.760{3AAE424D-EACC-630D-1904-000000007502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.712{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BC30333F9F0CD88220BA4F914674C2,SHA256=16B8F34A6944053EEAA0645A8944D7F62B2F499D53F8C703DE0EF2A0D62B0CBA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:47:40.255{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x800000000000000039092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:47:40.240{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\06A4B577-CE6B-4918-863A-B3583677E3E5\Config SourceDWORD (0x00000001) 13241300x800000000000000039091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:47:40.240{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\06A4B577-CE6B-4918-863A-B3583677E3E5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_06A4B577-CE6B-4918-863A-B3583677E3E5.XML 10341000x800000000000000039090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:40.240{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:40.240{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.934{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.934{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.934{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.934{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2577EA6F384771953DBA87A849A6450,SHA256=482112312F458ED7DEF9DE8F5D4F6495882497F84EB175AE61672ED295A3E328,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.955{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.955{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.955{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.955{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.955{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.955{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.955{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.955{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x800000000000000030622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD8F256C2BBA8CD94AEBB31FCD08F48,SHA256=593C009B18CA62679E65F57E6517D57B6B2859420D87C6E2583E16F677D13FFD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x800000000000000030618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB8F26606E24DF47511D22954E82EBA9,SHA256=33C9427265D82A4FDFA01E12F1865C43C59C4133B28653D5D8ABF52E6AF1A958,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000030597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000030591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.939{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.940{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000039098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:39.874{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63193-false10.0.1.12-8000- 10341000x800000000000000039097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.102{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.102{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.102{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.627{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000030583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.627{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.627{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000030581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.517{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468D02E308DF736E71F741A5CCC50878,SHA256=668CE446BD9DDB374C293B73CDEE9D247B7407BFD2E511C9DA4DAAECC5FD56D5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.455{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.455{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.455{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.439{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.439{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.439{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.439{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.439{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.439{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000030571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.439{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000030549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000030546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000030545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000030544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000030543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000030540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000030537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000030533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.424{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.425{3AAE424D-EACD-630D-1A04-000000007502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:41.330{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3D8B5F6198A111EEBBEF80A2AC26CB8F,SHA256=2017749C5D9CB5B2D819F6FA8A4DA7097323E39245E3EEFC99D38EEE9D80445E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:40.877{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63194-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:40.877{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63194-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:40.033{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:b800:200:58f1:a3f5:cc7:ffff-49447-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000039105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:40.033{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local49447-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x800000000000000039104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:42.217{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FD081EAFC713F638C564DC606BBA577,SHA256=56674F2F5E05AEC9E0EBA41465216F3DD19AA60758747093A43AB41A6FAC1612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:42.170{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0CA706A61CEB8A9A9A64989E55DD7D8C,SHA256=280BF9145E12418C7C964362C9040522C23EF01882C195CAA7903BB0D292394C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.788{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.788{3AAE424D-EACE-630D-1C04-000000007502}36082632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.788{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.788{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000030685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.616{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.616{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.616{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.616{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.616{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.616{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.616{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.616{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000030645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.601{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.602{3AAE424D-EACE-630D-1C04-000000007502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.142{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4B05C53CB28D5277CB072D10EE3F9203,SHA256=17FC6601B00025D7C693DBAE47DD97CC08104CFEF9CFA518D30D1735BDFC8F04,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.127{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000030636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.127{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:42.127{3AAE424D-EACD-630D-1B04-000000007502}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000039111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.710{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63195-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:41.709{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63195-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000039109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:43.024{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E168FB580EE4F270C1DB370B3A6E7773,SHA256=896C576727A0300F52011C6378B8AA0F2E52442E4079F8BA360A08D4E1990382,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000030705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000030699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.979{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:40.794{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50308-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.085{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB6D2726D202CAAB433F8AE6B2DE801,SHA256=74B8642D1DD412A4B71CBA8ACEBAC70330E60922F80C32A59982D87216179419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.070{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A473B39F5EEFAF596E3B7871ED8691,SHA256=E09DFED7045781245FD17E98FBE7B758E428A290C1353B973453F31D2BAE5A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:44.112{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBBCEA8D7BC43D69EA450AF77C97145,SHA256=CF13CC3FE3D293536E613E736BB536AC3859ADDD9101676E809B0407B9F12E77,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.833{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.833{3AAE424D-EAD0-630D-1E04-000000007502}3396880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.833{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.818{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000030792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.677{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.677{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.677{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.661{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000030772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000030757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000030752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.646{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.647{3AAE424D-EAD0-630D-1E04-000000007502}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.276{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DC63C7D7D8F79CE8CD12C64EBCD7B5,SHA256=BD59456FC1B0E2613BC7ADA1B826F93BB7F2EB93595226E593B8AD35EF4E86F9,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.135{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000030743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.135{3AAE424D-EACF-630D-1D04-000000007502}18522660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.135{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:44.135{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000030740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.994{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.994{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.994{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.994{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.994{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.994{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.994{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.994{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:43.978{3AAE424D-EACF-630D-1D04-000000007502}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 23542300x800000000000000030797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:45.362{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72288F930B652AAFB86F96C39CBF449,SHA256=0AC92A0B81DECD9B2C6681D403119CA31ADC56B031E099803DEC941C3B52BBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:45.205{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260E9AA3C6159003CA2281CAB1A94F67,SHA256=B3AA2FBD127863699F6649C3018DCA6CA7BE95CC63223B5D4F73C826BC356919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:46.295{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6CFAC4E865F6D791D466858E94325F,SHA256=57527139794B8AEA6A015EA27C438AEE7A0A7994996FA639A2258628F3A3CB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.916{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB82BBB09061379A45BDD832DA87F4A4,SHA256=DBCE9762B04CA761103B58C52B9D2CDB25062ED65FC4C34ACCFD511B1A6E7B39,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000030854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.494{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000030853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.494{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000030852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.478{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000030851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.402{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.402{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.401{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.401{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.400{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000030846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.400{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000030845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.284{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000030844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.284{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000030843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.268{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000030842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.268{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000030841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.268{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000030840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.268{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000030839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.268{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000030838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000030837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000030836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000030835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000030834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000030833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000030832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000030831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000030830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000030829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000030828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000030827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000030826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000030825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000030824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000030823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000030822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000030821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000030820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000030819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000030818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000030817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000030816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000030815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000030814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000030813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000030812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000030811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000030810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000030809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000030807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000030806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000030805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000030804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000030803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000030799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.252{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000030798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:46.253{3AAE424D-EAD2-630D-1F04-000000007502}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.831{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BD64451E4990A9B7D908685BE99EB006,SHA256=C19C8DD0F090C95572650F798D96AA2305665704AF5DB97B2DBAF4663EABA17A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.799{BEA5AFC2-EAD3-630D-1F07-000000007402}31362704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.764{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000039129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.764{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000039128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.764{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000039127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.763{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000039126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.763{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000039125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.763{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000039124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.631{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.631{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.631{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.631{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.631{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.631{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.631{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.632{BEA5AFC2-EAD3-630D-1F07-000000007402}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.505{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C1FF0AFE56ED5E91A4A5462FA027B90D,SHA256=479D733E561837A831505924A0A461179D88316767A3328233C85630463AB541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:47.396{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED34B8B556568C9D5CE6ACDCE5252C8,SHA256=492AF57AEC1D52B6F10FE3EE896A46B3CC6B2F90BB74E1B51C79A51F53082E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:47.481{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB1A19A84C34C05049F4B0BB6CBB99C,SHA256=273AE2A1BE1AC89E9AB71D71F2D064C59397A291BA8CF50A2D17D019151EBB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:47.307{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7DDBBD72443E2645A9CFA0A86F2407,SHA256=E3D94B159358C1987B14538E4AE296E19D05FEDDE7ED2A5A27697838257C7B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:48.571{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436DEFF4C9B2AF432382E9C7E061285A,SHA256=4065037D64BDEBAE4DC4C472ECABE0F8BA9C11D36573DAC311C083B6829FF589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.986{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028341CDFD6DD76ED7EFFD38B58FD10A,SHA256=C621F27787B5B40744FEE9A167B333164A0ED33D1170C03DE718F97D1865CF67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.970{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EAD4-630D-2107-000000007402}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.970{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.970{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.970{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.970{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.970{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EAD4-630D-2107-000000007402}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.970{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EAD4-630D-2107-000000007402}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.971{BEA5AFC2-EAD4-630D-2107-000000007402}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000039142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:45.867{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63196-false10.0.1.12-8000- 23542300x800000000000000039141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.487{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D2156CDE69CA8618E1E31D312ADCC5,SHA256=41E13C1B8E10F656B0FDABA1C91800F3A40DE6F9E7C846E58079860067BE61BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.300{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EAD4-630D-2007-000000007402}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.300{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.300{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.300{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.300{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.300{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EAD4-630D-2007-000000007402}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.300{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EAD4-630D-2007-000000007402}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:48.300{BEA5AFC2-EAD4-630D-2007-000000007402}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:45.898{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50309-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:49.658{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5DB1DED4AF5263952E013C64C62443,SHA256=3D5D252FEBFD7F1A9F3461DBC01D90C2374AE5B01E7B4572E3D275503DE2B89D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.994{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.981{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.978{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.769{BEA5AFC2-EAD5-630D-2207-000000007402}18886600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.618{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.611{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.608{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EAD5-630D-2207-000000007402}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.607{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.606{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.604{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.604{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.604{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.604{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.604{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.604{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EAD5-630D-2207-000000007402}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.604{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EAD5-630D-2207-000000007402}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.603{BEA5AFC2-EAD5-630D-2207-000000007402}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.578{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.572{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000039163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.568{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A2B883E7E0DAA54306B3160A5E8245,SHA256=A4BC077896244BB02DF0E9C9DB623EC3C1BE7DBC1CD04C249B0A1F7D1CFB60BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.558{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.551{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.546{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.537{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.530{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.522{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.515{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.507{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.500{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.468{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:49.466{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000030862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:50.858{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7A21E4F2366F50784502C6E9154BB2,SHA256=8D87707B07CA290422BD32699FB23CAA3DF2CF7365471183520C92A8B3DEB982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.750{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761802BF66EF3B1B8FAE03902A3EC82D,SHA256=16A4D241FA46B434E2D4539DA604B86667644A3C4559211AD4977CEB8A75F9F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.719{BEA5AFC2-EAD6-630D-2307-000000007402}64726356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.577{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EAD6-630D-2307-000000007402}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.577{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.577{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.577{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.577{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.577{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EAD6-630D-2307-000000007402}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.577{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EAD6-630D-2307-000000007402}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.578{BEA5AFC2-EAD6-630D-2307-000000007402}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:47.443{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:14d7:2692:f5ff:fef0win-host-ctus-attack-range-115546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x800000000000000039186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.014{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.010{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.008{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:50.006{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.808{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EAD7-630D-2507-000000007402}6368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.807{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.807{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.806{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.806{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.806{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EAD7-630D-2507-000000007402}6368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.806{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EAD7-630D-2507-000000007402}6368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.805{BEA5AFC2-EAD7-630D-2507-000000007402}6368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.617{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D01AD70206FC2D1E17FEE7DA87417C,SHA256=A6606FC423647F2A247B3BFA9DA62C5B36EE279BAA35855D5D35E4D22BA714C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.768{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3E923E673E4A77B107CEBA305EA1CCF2,SHA256=A0BBF17A071DA348AEC874DC2ACEA6DB8715B47436E033B0380625020E65CC32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.717{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.716{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.715{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.714{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.696{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.681{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.643{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.631{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.622{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.617{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.614{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.605{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.603{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.600{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.599{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.594{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.593{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.592{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.591{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.589{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.587{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.583{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.578{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.570{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.567{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.562{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.555{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.539{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.537{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.523{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.487{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.473{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.466{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.451{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.440{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.432{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.419{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.411{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.399{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.388{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000030863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.385{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000039205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.380{BEA5AFC2-EAD7-630D-2407-000000007402}63606376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.256{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EAD7-630D-2407-000000007402}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.256{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.256{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.256{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.256{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.256{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EAD7-630D-2407-000000007402}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.256{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EAD7-630D-2407-000000007402}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.256{BEA5AFC2-EAD7-630D-2407-000000007402}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.866{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C3D15C68024827DC7EA28E74B1AE86,SHA256=B8C3C9A361C67D7EFB8AB5A89AE5E5B70CA4779730086553827EA025AE91ABD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.649{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.640{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.619{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000030905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:52.081{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF76D7C7EB6B2C391AA1687344255A6D,SHA256=EBC03FEB465B7456DC536BDEA804EC3F5EBC0EBF0CB417F5597463C0448C5EAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.613{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.604{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.599{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.598{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.595{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.591{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.588{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.583{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.582{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.578{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.577{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.577{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.576{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.575{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.574{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.572{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.055{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:52.054{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 354300x800000000000000039238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:51.015{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63197-false10.0.1.12-8000- 23542300x800000000000000039237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:53.665{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D58AE03A8BA456B528664FBD8D668B,SHA256=D73CE0B74011BDA2CC1694546F7AF520B10F1B786F0CA3D003483F892A528262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:53.131{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B95CDE85F043182FBA590AE481B60A,SHA256=C28EA1F86EF99EBB0CD77A79DB503A7E899D018737DCB1A4483FF4EA995B25F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:54.751{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8099B75F40B4E18BC2099D618BA33744,SHA256=77EF89FDB7EB36DED4B81D3E829048DF454B977899E8A6EF3B3A2EBEB581CF72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:51.790{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50310-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:54.226{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256384FF4686E33BC5A72A7A268BEE42,SHA256=60B6B0D8AD48010A1F316B00AEC4619327DD04AA7925BBEB81ABD6C3394CDF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:55.837{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE27912F625F7DEFC99FC9A016A6138,SHA256=47078422CCB610DBA3EED57C50357992E998E1532936E57449B686E1DC467D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:55.312{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542B969FA00B8C71E145EABE42397FF9,SHA256=3ABC37861631F6D6F7AD6D67F613E585114C4D6B5BBD475679BFFDDD7E4BF2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:56.925{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C015EE3DBF1A86377AE99C4DE4BDE61,SHA256=66E274CE205EB1700C037457BACD284485BA937E4046CBE2ACF99D11A3DB8B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:56.401{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CBBD7766029D9675BCB4E7FEF2413C,SHA256=0893C3D9111D11F419DF58847936665F4EBC1E2D7A6B8963DB980F88EFF28563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:57.491{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9528C5B3BBEFE799C0D0EDA53D988DE,SHA256=DFA6EB9798D592EA40E6728B979755F6E6E5BD4886A9B648E29036198D22B950,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:56.918{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50311-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:58.589{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169FEE55661CEA5E91C2DB8D2ADA35A0,SHA256=105A7D21659F5A12D256151223D0016D3D441C78280CB52EE1EC7778BD0B8604,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:56.919{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63198-false10.0.1.12-8000- 23542300x800000000000000039242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:58.025{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D564886CC0A70571DBE195864009510C,SHA256=24E130C9AEBE29D389E6A3F4D4AD04650A0E38987A27B19F5F296DDCD6F8015B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:47:59.687{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FEA3AB0887C041322308B71CF7692D,SHA256=C6F37B916631A83DEBF9179907CCC654FE87D3233A355F138CE2408E05D70129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:47:59.121{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D1B226EC18361B6D1BDF83B3F35BC5,SHA256=11C1BBE614A69C2D3D656FBE376EC854412300DBC92184CDB7890A641532AB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:00.781{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F22F0FA3920D3D4FBC6DE4CEE0CAFD5,SHA256=1C9B306309D220E66BAD466C97D743E9AB5432A55D0DA17B98884793767F19F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:00.197{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCFA1DCDC29EE81ACD5D27D039BDB24,SHA256=AA02BB252D6F04EC8F2E263CCB7EC1F819754A9B0D78477C70FD4F733A5BE8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:01.874{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB685B685DED5EFA46AF40B4B43A5B8,SHA256=8A48C8EC9E5D859CDDF66D939D9FE47D76544EC8AB0B4E06BB7B094027A46CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:01.273{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E907BDF0FCF34B594AA99ABEF7D90CC7,SHA256=BBD7ED65B8C21E2B5BBB1FB2471D30012EECCE376342902F908F8515FCDD2E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:02.960{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4909E500624E00790A14C173BA271E32,SHA256=4C02A2E11AFC8E90EEB91914F30692D8F75CD08445D74B3EBF60C36E013ECE29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:02.364{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD54FAFC4CE3BD904A9B1E603E1C239,SHA256=22FC9C876FAA6DD321A0C1280E363279D47E443AD6C4F213532B696DC305F230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:03.452{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9285A0C5F93697E3DA91E60A971CE470,SHA256=3515F8AD7CB56F8D4B665126D594BF56A5739AA1468061BC1D60CEA68B7059FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:04.530{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAD1B740933EF5E57724C3F922C3883,SHA256=CEB439B31AC6A131108402BBAE1777DFBEF4B1396BD0106F046C15B9595908F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:04.023{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40819909277C01AEE72BC51FC215FA4D,SHA256=B7A5A7CA11CC3D6333CF9AD0649CC0DB6ED210D5695E9C01C4EA00F8A1AA7C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:05.613{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24ACE267DAA121FDF5A9FD9875CE931B,SHA256=62E6C8ECF065D3BBBFDE94580885F8A3402AE5411C84F14D1577C070C3949FE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:02.857{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50312-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:05.111{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8A692BDF41F7ADF8B3AB147BAA46B5,SHA256=D7ECB47D6D0C00393721B22322450E7A1597245780B8B21634E382F1223150EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:02.946{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63199-false10.0.1.12-8000- 23542300x800000000000000039252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:06.706{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29E47E62CDC173951A47B824B852B3A,SHA256=55E23224B6A88559DE41E2EF8115B939EDF0FFB4EDEB5752214E6759B0E9001F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:06.194{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058885A7B2A9CC16DAEAD0D3CEC1FFC0,SHA256=ED3D806D305AE57DE94701A02D1984F4F82D7C62CFA599FB65FF5703A787FD2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:07.800{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01614AC711A17EE29776EFC99CCF8FB4,SHA256=0AC63B9AA6A07D02526C0A9B1C7024BCA3B126A4505D268728AE6E19816EFCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:07.282{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D280EDFB93EA9518167F4A03D38B6030,SHA256=6DE06336BAC2CAFCD17492CCC6C3CAC5AF511AB225EDA53D03D9FA06709F77EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:08.900{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6C61143675BDBFFDE66778D539C1EC,SHA256=6D0BDAB1B5CEBD355A9F62DEA771B3EDB7C8CC3D3702BBF17573C0C56BB43F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:08.643{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-049MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:08.382{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBECE93CD6E5E113C3DB1ADA2540E94,SHA256=7CAE8C2858D0522577608B9C2D79C64919643DD46C2102F0AA0B6D2545FE4BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.955{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3071F9BD25BCDB114F1F3007978443,SHA256=3B68F0D687BE95D612CE4CCF5252473CF2437FB7E4593E10E597DF0160BBCD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:09.625{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:09.485{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AF01C98D0E58782DA4986C2816B759,SHA256=83FF54F8E258BE14FF7CA7AED070F6AA7BEB1538C95D0AF081D466A6811ED123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.659{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.649{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.643{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.642{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.639{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.597{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.590{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.573{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.566{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.561{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.551{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.544{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.534{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.527{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.518{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.511{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000039257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.493{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.470{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.468{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000030927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:10.581{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA13B0C4AA6B7A69ECDDDA24A7F3CEF,SHA256=3A868B4C4D96E0572727F4C06373BE95A83245B379F0A70513AF1B871C238759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:10.133{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:10.129{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:10.128{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:10.126{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:10.121{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:10.108{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:10.105{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 354300x800000000000000039284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:09.254{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63201-false10.0.1.12-8089- 354300x800000000000000039283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:08.941{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63200-false10.0.1.12-8000- 23542300x800000000000000039282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:11.029{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9147E381DDD36B3960856A01249FB47,SHA256=A98DA0CE00359DAB80D9C6FB70EAE3E07F98D0B362C9F07ABFE3D03EE1ABB889,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.724{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.723{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.723{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.721{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.706{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.695{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.666{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.656{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.643{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.637{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.635{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.630{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.629{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.625{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.622{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.621{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.620{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.619{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.617{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.616{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.614{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.610{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.605{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.602{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.600{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.593{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.573{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.569{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.556{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.507{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.495{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.484{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.472{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.455{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.447{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.436{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.424{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.408{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.397{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x800000000000000030929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:11.393{3AAE424D-E5D3-630D-6803-000000007502}57525776C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 354300x800000000000000030928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:07.918{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50313-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000030971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:12.302{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F5228197F3A649FF5893D5F0443A28CA,SHA256=4033612F58139C2F0055C50D1AC4FA9B93C0510BA9A0E288E964AA9F7BE4F66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:12.191{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43A71F6DB65B1E10567853DB53AA444,SHA256=733C23329034148288DD6699E691FB9955EBAF3518AD2497F92C1E436A04DCDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.756{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.744{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.718{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.709{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.696{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.691{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.690{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.688{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.685{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.682{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.680{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.679{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.675{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.674{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.672{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.671{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.670{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.669{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.667{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.150{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.149{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000039285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:12.118{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7965557C122080B4A6A25DB914334C77,SHA256=4CCDDAF1CC235492DE6F4E655E6C051842605AE2C70583A3C2372A65A043F341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:13.403{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB480CFA1EA6EF20C0E231827AD0771,SHA256=E69CF62CCF1DC1CA257BDC4A9C31EABC39F4A011B26D9DF745D5B612635C360B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:13.198{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA3B5B7F4F4D82E94C5CA2525D80433,SHA256=C60F203EE043A723ED08B5096F899802FCA5FC609B73771E9830ED6AA23F8C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:14.501{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175192EFC1FCBF544D0C15B2BFE07BE6,SHA256=945D091A7537D0F6DD7D20543EC3503B1C9C6ADC3E90116FF311AE8AA3062C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:14.590{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1121DB89838C1A1F5ACAACC5BA7FE6B1,SHA256=7DC351CF96E2868D956651951779FD020608855DEBE94C4A4AE077137B326826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:14.291{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875647E07A1E34AB71C5C2528582EC93,SHA256=5DDEEB6303B2ADAE3ED1B8967E870C49487D4F58EC4401C1985984C4690CFB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:15.600{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A648BED0F86B5AB33B2BD8F993BAF9D1,SHA256=B19BCF84AC651A08478FC3EC2ECC63BCCC8C6CC1462240ADCD462E5E49592941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:15.383{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC48EE7DF13A2A1E25A9E49FDD4C46D,SHA256=7B6426BF4959F4656B7889EE81EA342EC88F8C04F5EB943F49EE21EE2884DBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:16.476{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE03EC2A131F03F0CE1CF8E9B86553D,SHA256=836C7BB0B9C418FCB2E410E902D331478801ED42F03520083546736D768687DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:16.660{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000030975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:13.866{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50314-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:13.245{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63202-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:13.245{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63202-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000039316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:17.633{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE57854ED850CE46ACA2BB40676E2527,SHA256=F436E2CD542BF908B5373C8EE350D00CD4A900AD0A1ACA516CC35D4B244D4883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:17.575{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913C6FCFD77FC58D71A01CF381B8BAF0,SHA256=D514E71D605AAE420F39D67EC1506B770E052105C653DCB12CEBE9235C24040A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:17.216{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17A94BE6FD31DB6965EC4A87F05D445,SHA256=5C6527CFBF91465D2AD10C66A5788168CE2D7D074D575207D55050578828E870,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:14.819{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63203-false10.0.1.12-8000- 23542300x800000000000000039317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:18.656{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD77B259366FE922D0555AE5AEF4E5A,SHA256=33E3C65A97E48D55141A48EBE1658DB65E28F21CA8EAB92FFDD70EA803C554AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:18.238{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FD73AD12268E71AB54587017F31B2,SHA256=72A2FE9D987BF17AB6707DACD4D7393DBDCF9EF8EBEC50029C28B31F5100AFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:19.737{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56306D22ECD2F3812CE08DA13366B6CD,SHA256=42AE8A067E02D5608551C2FE5AD6F42231103B150E9519B8DFDC043817110C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:19.331{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A5963ECC8BA84DBB8D27C04D7716B1,SHA256=EEE92BBB52F92E4E7853D71D63285EF19DEDEEECB95C814348AEF71829547B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:20.823{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED653A522379A7C7E5D3644997F2E37,SHA256=558E7E9F68827F966708A22D2CC0898C61D67D9C3CFD6E96B6712A24A38599DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:20.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3362C90DAEE29D6A707D8A629075A58,SHA256=D489966D188909A122AE3533AF62989C46BC03C4690D7E3814AB0363B25B431D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:20.339{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8bc5e-0x04f2d509) 23542300x800000000000000039320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:21.915{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9E544FEB07A3158B883D56FCB65831,SHA256=72365F2E75154B43918C329776EB16212D6A2E888960A411F078DE52CCFC79BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:21.503{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5924433DC2E716E84F7BFE0D3CDD2B72,SHA256=F7E9716E558F26D5A86E4408C3CB8CF815D5D1499161C9C6C9F209EAB717F4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:22.701{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AAC65D522158909195ABA735774CAC,SHA256=26B21FD198801ECA949B9AF5CAEAEBA306790EFBD0FA4945555B77BE8327EEE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:19.902{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63204-false10.0.1.12-8000- 354300x800000000000000031012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:20.033{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 354300x800000000000000031011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:19.839{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50315-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:23.788{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A26A8745267B9A79B92B0CFD89B995,SHA256=EEDC4DC7399FFDECB830938DFFCEC199C00129DD6C6587C8C8461AB5D63A53D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:23.018{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC43E897240F4E3A99202D8DD8906A8,SHA256=765DE7436EAD8F22F544BEBD3FA6E1185A2D6CAB796179F70B410B20770AEAFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:24.876{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC2781C08FA479F3B5D9EF1BFF0EB0D,SHA256=1778D3A0041003174EC9E8147E1F59DEC49967A4D4342C16E4FE9E7EE15D365E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:22.402{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local51906- 354300x800000000000000039324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:22.401{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local56558- 23542300x800000000000000039323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:24.124{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BF2E537EE5D6F8E861B28FA3BB58C1,SHA256=2AB4958DCFBE515DEDA9E81E0F0CD3C312AA609C1E86A5E9364B00EC4108E10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:25.968{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA77C23C654B874ECA99D9688E65BA9,SHA256=95C1EF8315A8F9D3855A6B0156C9F582CE16EE6DB19FBF9A3F1C25184B5FB81F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:25.208{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DD1B620AD115C7BF7552101C2A17C5,SHA256=0D09764C7885359A0F101927A9BD795132BD2F3971A022A51EF7BD25C3C80FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:26.297{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BC646A327FDCD204F75FBEE450344B,SHA256=25A468D7CE630E8C22B3FF653B2178D440663E557E91A4C4881FB81E365D1593,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:25.806{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63205-false10.0.1.12-8000- 23542300x800000000000000039328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:27.393{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3357A8EB782849966DBE36DED378FB6,SHA256=CBF8BB0786042EB39C29ABEDD439716FFEEBE067C6136223A9C78C3AFF7F76A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:27.414{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:25.772{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50316-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:27.069{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DF577928AE1D777E1D35B8870CA2CF,SHA256=99FE69F7DB668E20861FC632F9106E789BC7B818038CC918A722264E4229ED8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:28.477{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AAE86FF9FEC90864518F9B794C404A,SHA256=C5B2907FEB8B42D3DD1DA8A11CF33C5DF3408200F305CE5CBAFD3FD52DAC1820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:28.166{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1542FCB2F52DAEEC3205CBC241803CB4,SHA256=4EF8962775C8E226BF6CF075177870B540F36E679E688A59EBF1B3DE1B4F4DD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.679{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.673{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.670{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.668{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.665{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.638{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.633{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.621{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.615{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.611{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.601{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.592{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.576{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.566{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 23542300x800000000000000039335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.557{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390438A8D6DD8C19B491F6AA95AF44EA,SHA256=B2A121121E5DECCFEAC37821715D584DF1A330641CFC34F2D5CCAEDF0B7FBCB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.549{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.539{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.489{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:29.485{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 354300x800000000000000031022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:27.108{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50317-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000031021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:29.256{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2098D9D369B86FFCA130EA470A3488CA,SHA256=4DDB38D7171B8B76A5BC3C1A389A233A65FD80EB0D5FBF5639D94E37607E4AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.897{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-059MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.609{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A98F160AD9B240C81CF93660BE93AA,SHA256=83BE8315F4A78F962CE515672C049B31774E9EEB05A34E576989173A809F20A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:30.346{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A0B358FA6E7A188DEAFF4D82CC776C,SHA256=85431B3DFC2E65541B4263893EE3B1645B454708847AF059D697525AF2974F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.043{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.038{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.035{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.033{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.027{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.013{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.010{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:31.916{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:31.900{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:31.680{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00DB3529348D15E001FB421ACB40F57,SHA256=289C8426314C91BF058D051432A17D0D3CC82829C211F3B09729B9815F00124A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.685{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.684{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.684{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.679{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.661{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.654{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.628{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.620{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.606{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.601{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.596{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.591{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.589{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.586{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.585{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.582{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.580{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.575{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.574{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.567{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.566{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.560{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.557{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.552{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.549{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.547{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.539{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.526{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.524{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.514{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.480{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.472{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.461{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.453{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.439{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.434{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 23542300x800000000000000031029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.431{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1466FE8A722F99B780EC5BCA88BFC8C2,SHA256=B7228AD63B6F220C36D96E8DEFE196049266AF6DF6D8A47D49000B9BF53CB7A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.426{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.419{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.411{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.403{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:31.398{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 23542300x800000000000000039383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.777{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C742ADDC5167DD95A43E7C527B12DDF6,SHA256=90049F684DE9007B15A6031E3AA256ED535DA94ECBEF911E48460942975D9985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:32.882{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740BD4AF557EE4E267C9A70CDA6766AA,SHA256=555E61CAE502E2FC17B254E6451CA50362ABAF689D5C17C408E6587A9FD9EC51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:30.882{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50318-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.658{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.650{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.621{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.615{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.606{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.602{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.600{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.598{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.596{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.593{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.591{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.590{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.587{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.586{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.585{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.584{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.583{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.582{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.580{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.070{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000039362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:32.069{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 23542300x800000000000000039385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:33.867{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38812CF2EFA864C1436B5E8E32DAA0BC,SHA256=BE2407BE7E9AB7134706064D82F8E3C5EF9705E402C1CBD5B9B3CE3E77F8BE40,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:33.640{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000031074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:33.640{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000031073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:33.639{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000031072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:33.635{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000031071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:33.635{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000031070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:33.635{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000031069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:33.633{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000031068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:33.467{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F6FC16B874F25B129D5986AAB1E135,SHA256=80A44DDB202886EEB1AC30A5382FA03FA02D9A1422B8681377D0E53BDEB2CD23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:30.910{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63206-false10.0.1.12-8000- 23542300x800000000000000039386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:34.960{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4427AB0F094C0761B30D4BD7CECAE188,SHA256=38D27B3E34DCC84DA93303E05BC124A384A11622504F4BBBDEFDA20DA6EB57C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:34.559{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1334AC350001A5D3EBFAC506BA1900,SHA256=2444631A54CA9473B6B48B0AA3AA1E57FFBEB063D810CDA24EA63CE3E104B16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:35.650{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF1F5AD6032729588AC424DC8DA5563,SHA256=FFBA4280141E79F73D49045859DD34B0B3CFE5B20460979B56A91A82917F3965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:36.751{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF6CAB2ABA707B99CD432266B96C66D,SHA256=088C77EEFF197541741300E142B617CD6BD46EE749C87F0FF9AF92549B757E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:36.047{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C2565BA7D259D4A8C956859650D0F0,SHA256=FA7BDBD7F1B7592816E3C2DA8747B27234E27C26FE926E71887CA94F39803F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:37.842{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD551C9D03CE1D60054AFDAAA7A7D50,SHA256=4405488CACB733DE36890349D409EE997B12BE3D343C373692FB22683F14E2D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:37.131{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A7246F0F7EBE5F31D3281DEC794E50,SHA256=411E640559DD931F5668CB337D3EF013EE0B4EA71E42959F3CFBE31FC1DD7DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:38.944{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EA335EE8AA29F88146AE9A8F3F9F20,SHA256=F4381DFB592F9E18775101AAF0AA51ADF9EAB71F743C4FCFC8A291D0AE0DE19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:35.947{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63207-false10.0.1.12-8000- 23542300x800000000000000039389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:38.231{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB10148BFA9A10C237C02A9358EEA91F,SHA256=5C32D97567686E5BC666273EBD62921067C31746D8CDEF224E60DA83A4B0383C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:36.790{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50319-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:39.324{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076F3BE6C36923CFFADAF4A54B501179,SHA256=5FC75A20D84C284F5D0F5FB7ED007A68011F24CB122AEC78FEA8D19BA9E56A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:40.408{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9264420080B9C8DF023473A8C8560D4,SHA256=C24CC60C3164EE879FFB162547850592BAAEEAD897562AD619B6EABA0DD1134C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.937{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000031132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.937{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.937{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000031130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.781{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.781{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.781{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.781{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.781{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.781{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.781{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.781{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000031109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000031097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000031094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000031090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000031087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.766{3AAE424D-EB08-630D-2004-000000007502}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:40.033{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BB772A6389FC154E0930751D8FBD6F,SHA256=B0C9C79117F593704A4B02F6AABDA1647C9E3CE590038BAADB80C80B4C97A34B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:41.494{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D969347F7C3A0C90499C0BBFCA12C543,SHA256=90CB62B99E544F5FACCA0D2DBCE3C5F786D6452734863043B83493B329C9A2D1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.936{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.936{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.936{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.936{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.936{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.936{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.936{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.936{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000031231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000031208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000031207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000031206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000031205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000031203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000031200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000031196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000031194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.921{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.922{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.889{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18DA0881C128627E3B8A74B1234CCEC0,SHA256=8A059AD62A5C40165ACC60610A2FC28A5C941190834D3BEEA3DD06B45EE704E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.499{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=12FCCABEA17996859C09886A7C84D9F5,SHA256=37ACAEAA335C63D0F99083CE6173DA785C4FA6849A5DC9C9E5C568AAF869B499,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.467{3AAE424D-EB09-630D-2104-000000007502}44805616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.467{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.467{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000031183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.311{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000031174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000031161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000031159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x800000000000000031147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70068769D84859823B3B055877BBF5B8,SHA256=4D8DB6E75EB4697E64DC239375D740F2518CB600EB9F3A9EA62F701B8F63AA7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000031141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000031135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.296{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B0C3502E3345C5BEF57D2C9A5332F36A,SHA256=9CBA8972E38BF31AC2940656928D7A2E59A5FACB9D7B445134887FFD60499E91,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000031134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.298{3AAE424D-EB09-630D-2104-000000007502}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:42.589{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF98CFB37D9BB81859423417A69EAE5,SHA256=237B513C40FFBF7A5F6A63F771B54C402B85927D0B2DD93E173A088073E20F54,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.749{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000031295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.749{3AAE424D-EB0A-630D-2304-000000007502}60045664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.734{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.734{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000031292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.640{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624C352FE7893B4A028927B70155C069,SHA256=6E204241041CEF0634F5D09A1BF822959357E984D54D37547E9536D995FF5477,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.609{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.609{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.609{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.609{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.609{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.609{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000031270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000031256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000031251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.593{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.594{3AAE424D-EB0A-630D-2304-000000007502}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:42.181{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=847FEEEDB5FF287DF16C66B91481A895,SHA256=65B5D7FD2576780755249AB28DAC475F3726818BC4EDA823D4656FF6DFAF25CB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.077{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000031243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.077{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.077{3AAE424D-EB09-630D-2204-000000007502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000031241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:42.061{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8242ADBCE31086964E60243052FDAE7,SHA256=51B9E5A8B0A2B1AB0F0AD1C8C485B4BD721F9DEBF0E00BEE9A4625E195B7D55E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.918{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.917{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.917{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.916{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.915{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.914{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.914{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.913{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000031322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000031309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000031304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:43.680{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E15E8FEB401E87993B8825864C9A4C,SHA256=448ADB837AE51FB2077B821D2DB30455041FE9BD6067434B21088882DA025F99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.897{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:43.894{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=873999293D806886FBF556A3303CE217,SHA256=3972BF50C2C6AFDF433CFB63D5DF3DA14518E1EC076D8B1AB607DF5BECD60989,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:40.955{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63208-false10.0.1.12-8000- 23542300x800000000000000039398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:44.766{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B839E967534CCD8F28FBA611B1EE6557,SHA256=A061359CE80493EF23A0AD165B2447318696A6C950CB2D1E494FF785E926454C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.764{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000031400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.764{3AAE424D-EB0C-630D-2504-000000007502}36444452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.748{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.748{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000031397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:41.959{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50320-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000031396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.577{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.577{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.577{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.577{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.577{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.577{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.577{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.577{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000031373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000031361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000031360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000031355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.561{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.562{3AAE424D-EB0C-630D-2504-000000007502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000031348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.051{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000031347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.051{3AAE424D-EB0B-630D-2404-000000007502}60005956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.051{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:44.051{3AAE424D-EB0B-630D-2404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000039399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:45.867{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CB7942C9CB8692B2E05169E0E90995,SHA256=986054F4D371A3FF7F8F3CF2EEABC9875180915AAEA3A714322A433A5CE55FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:45.063{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7DA6310D35FCA448E7CEF5F58AEF52,SHA256=C3F021C03C567712C1B883122D3B0C5DBE34FD1CCB34B01DE6496EC143B101F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:45.048{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4056536E7F1F56FC8C361EB2C30003DD,SHA256=9E3CC7B42DF9E87E2FFE59C0F5D9E9279160322B9C9F1C6F1349557611B12A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:46.970{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74E8589C7E7D13A4A6D7869E36FF2AE,SHA256=97C7892A6D700F2A2C4B238BC33A980875834EC80D9DDDAD19B0A6412C0DD6E3,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.744{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 13241300x800000000000000031483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.712{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.712{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.697{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B8CDCB65-B1BF-4B42-9428-1DFDB7EE92AF} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000031480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.697{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000031479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.697{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20,IMPHASH=D1267CC8F49B54A66A0034D2C4452E93trueMicrosoft WindowsValid 13241300x800000000000000031478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.697{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000031477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.697{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6A,IMPHASH=52DBB027F849F4DB11CB3C2B56C0E9FBtrueMicrosoft WindowsValid 13241300x800000000000000031476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.697{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000031475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.697{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.697{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000031473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.697{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000031472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.697{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.697{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000031470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids\CompressedFolderBinary Data 13241300x800000000000000031469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:46.681{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000031461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.416{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000031460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.416{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.416{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000031458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.322{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.322{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.322{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.321{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.320{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.320{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000031452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.197{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.197{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.197{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.197{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.197{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.197{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.197{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.197{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000031439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000031424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000031420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000031416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000031411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.181{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.182{3AAE424D-EB0E-630D-2604-000000007502}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:46.134{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C1877B375753599B439C92C2C7087D,SHA256=8AF9E26A0A26D5B5CECCE1D716555CC743EB7D6DEF7893BEA539D2AFBB4F21C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:47.287{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:47.287{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:47.285{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:47.285{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000031487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:47.251{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CCAD4CF1D2D57E72F646DFFB1475E3,SHA256=A7CBA90D127BC06E9F51820A6DA1928E2D07B2EDD637075E5A66B5368DDB5435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:47.248{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E717A4A5F12C287629D4900073DB3D,SHA256=30015CDE61D8B6D54711C17539DE72353DF958AA228CAE2A0492907FEEACE6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:47.246{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=975E9C6E58A5904427167ED4061466F8,SHA256=6FD646E1C961EAB11B7D9F2375522AB52E50A17B1918102646014A98DE543A48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.787{BEA5AFC2-EB0F-630D-2607-000000007402}26646424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.772{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9F5C2AC5E2652092D349494CB316C332,SHA256=5759EE22126895E16A0E1EFA06BB74DBA2CDCB15E591ACA00FD2BB422C6712F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.631{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB0F-630D-2607-000000007402}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.631{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.631{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.631{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.631{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EB0F-630D-2607-000000007402}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.631{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.631{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB0F-630D-2607-000000007402}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:47.632{BEA5AFC2-EB0F-630D-2607-000000007402}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:48.340{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C745B0841DC52A30AA2BEC502A9E91C2,SHA256=3A34DE1EA8AC0B6EBA8E3613444457E0716104F2DDC3DC83CF790EAF013781F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.977{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB10-630D-2807-000000007402}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.977{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.977{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.977{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.977{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.977{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB10-630D-2807-000000007402}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.977{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB10-630D-2807-000000007402}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.978{BEA5AFC2-EB10-630D-2807-000000007402}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.821{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=850DA1F81F17186893129DFC2735FA81,SHA256=1A911DEB26CCAA3730D220703B0CA8D372C3517FEBFA93AAA43094834D8FFFE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.304{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB10-630D-2707-000000007402}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.304{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB10-630D-2707-000000007402}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.304{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.304{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB10-630D-2707-000000007402}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.306{BEA5AFC2-EB10-630D-2707-000000007402}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.280{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3BA40764D691E6B7E3EE24CA84B68895,SHA256=02848A971620A566F35C4646B96C3527ACCA342C97F3CFA356E3003F1908831E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:48.069{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DAC79C62007CD717112FF4E712F37C,SHA256=133E93F9542591F93C64C0D77DC166B11852E75A5B85D71627EC812FB88A3972,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:47.919{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50321-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:49.435{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417DEA27071BE6BD1FF7934253A964D1,SHA256=D55832358027FBA6A7B11BCA612EBA1E886836197A07442AFF60FFA9DFFF6441,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.847{BEA5AFC2-EB11-630D-2907-000000007402}59124028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.651{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB11-630D-2907-000000007402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.649{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.649{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.649{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.649{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.648{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB11-630D-2907-000000007402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.648{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB11-630D-2907-000000007402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.648{BEA5AFC2-EB11-630D-2907-000000007402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.622{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.616{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.614{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.612{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.610{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.584{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.577{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.563{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.558{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.553{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.545{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.538{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.529{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.524{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.516{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.509{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.478{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.475{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 354300x800000000000000039431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:46.838{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63209-false10.0.1.12-8000- 23542300x800000000000000039430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:49.149{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D760F78D64A6370E869B36B34680D3B2,SHA256=760CCDE1814AF58037ACEC98356459E437AACAE5FF8778C67A9DC147FC41BB66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.585{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB12-630D-2A07-000000007402}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.585{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.585{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.585{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.585{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.585{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EB12-630D-2A07-000000007402}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.585{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB12-630D-2A07-000000007402}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.586{BEA5AFC2-EB12-630D-2A07-000000007402}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.301{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8556C255A5363B395AFDE62A81FB193C,SHA256=AA3386D9D608FB13CC9F603A35DB7D3457A1070DA2EFEE9DBF0E91EEAD360661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:50.639{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CE1FC27E99957A0D2F729D4A9BB985,SHA256=3F33C1AB29A5379E3D21CF4441BE33AB1EA64C0A67D7455C7D18735C35C384F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.034{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.030{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.029{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.027{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.021{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.005{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:50.001{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000031614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.796{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990903B1E55B655383343DD5AE3E9783,SHA256=59E91E758D815BED3240D2F7464B676C502E6DF911D53D0386CF0ACA1238D591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.796{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1980C2FD2D1172D8571DB4139C05CCE,SHA256=CFC7413985647D64BF9003228C01B00F1AD48BEE69B83E546B20463408932987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.780{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=225B96A2A583BA28DE3605117C9EB366,SHA256=56201B939638F695BB3AD4FFE74CDEC4A2284257A8EE669DDA69C0E0655435B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.933{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB13-630D-2C07-000000007402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.933{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.933{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.933{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.933{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.933{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EB13-630D-2C07-000000007402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.933{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB13-630D-2C07-000000007402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.934{BEA5AFC2-EB13-630D-2C07-000000007402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.412{BEA5AFC2-EB13-630D-2B07-000000007402}62524804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.412{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C62A993D3F6B21A1812AE9B8EE2B9AE,SHA256=52EF67A7857CB71150D43B5218C8573A6DBDA5BC5A81D29BDC90B7D05FCEEC0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.608{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.607{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.606{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.605{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.604{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.592{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.580{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.557{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.551{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.542{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.537{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.535{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.533{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.531{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.529{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.528{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.524{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.523{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.522{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.522{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.519{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.518{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.517{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.513{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.509{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.506{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.504{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.498{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.486{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.484{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.476{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.452{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.447{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.441{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.434{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.424{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.419{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.413{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.403{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.396{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.383{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.376{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000031569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.347{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.347{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.347{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.325{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.325{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.325{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000031563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.139{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000031562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.139{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 23542300x800000000000000031561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.218{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB40855E7ED4A3B56DDCC72402D5176,SHA256=2B18E03A7D8360C1A0198596FE4413DDB73DDBE43CF11FD5D3B15B9B7A606989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.218{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.139{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 10341000x800000000000000031558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.203{3AAE424D-DEE3-630D-1700-000000007502}11722440C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044444C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044444C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.265{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB13-630D-2B07-000000007402}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.263{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.263{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.263{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.263{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.262{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB13-630D-2B07-000000007402}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.262{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB13-630D-2B07-000000007402}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.261{BEA5AFC2-EB13-630D-2B07-000000007402}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044444C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000031554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0424\VirtualDesktopBinary Data 10341000x800000000000000031553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000031549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000031548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.170{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.139{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.092{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7z.dll22.017z Plugin7-ZipIgor Pavlov7z.dllMD5=BBF51226A8670475F283A2D57460D46C,SHA256=73578F14D50F747EFA82527A503F1AD542F9DB170E2901EDDB54D6BCE93FC00E,IMPHASH=4A683D6F78CDDF7C7CDA44D5A4669025false-Unavailable 734700x800000000000000031540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.092{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000031539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.092{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.092{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 13241300x800000000000000031537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:51.076{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090424\VirtualDesktopBinary Data 10341000x800000000000000031536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.061{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.061{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.061{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.061{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.061{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000031531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000031530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000031526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000031525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000031523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000031522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x800000000000000031521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000031520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000031519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000031518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exeMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7false-Unavailable 734700x800000000000000031517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.047{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.030{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.030{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.030{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.030{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.030{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.030{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000031510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.030{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000031506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x800000000000000031505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000031502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-E5C0-630D-4003-000000007502}3152512C:\Windows\system32\csrss.exe{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.014{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+8e02f|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+18377c|C:\Windows\System32\SHELL32.dll+19e928|C:\Windows\System32\SHELL32.dll+2845c3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+183a20|C:\Windows\System32\SHELL32.dll+180dfe|C:\Windows\System32\SHELL32.dll+81601|C:\Windows\System32\SHELL32.dll+844e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15 154100x800000000000000031496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:51.008{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap9021:68:7zEvent15040C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{3AAE424D-E5C3-630D-A9E7-310000000000}0x31e7a92HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000031615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:52.886{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6BD26D2D9ABBAEC05AA82287787148,SHA256=650E14885AC051D4E9E79C5443A35F12C33F079B111C654E153E8EE46541357F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.650{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.642{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.621{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.614{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.604{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.600{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.598{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.596{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.593{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.590{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.588{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.587{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.584{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.583{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.582{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.581{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.580{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.579{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.577{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000039496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.482{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96CAB795E14A5A4BB482CB957FB4238,SHA256=931FF4565D57B5599C5D5C5B43C1623874288F33A0766ED2E7111B401062A96D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.105{BEA5AFC2-EB13-630D-2C07-000000007402}54646240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.059{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:52.058{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000031627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:53.987{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32ABB42711CB8BEB7515929DA591BD61,SHA256=FA36BEF3DB6CBB2073AD0F46C2A08514EDC681631883AC131289BE228F6A4195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:53.536{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3006380220ED150B36FAE1C35B2560,SHA256=643A02DC18AB09CB36B4BA8D0555C43FA151F67A0FA1CD5054BE4C4F22D996D3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:53.862{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0424\VirtualDesktopBinary Data 13241300x800000000000000031625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:53.799{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000031624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:48:53.799{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0424 13241300x800000000000000031623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:53.799{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:53.799{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mT.rkrBinary Data 13241300x800000000000000031621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:53.768{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000003043E\VirtualDesktopBinary Data 13241300x800000000000000031620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:53.706{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:53.706{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mT.rkrBinary Data 10341000x800000000000000031618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:53.706{3AAE424D-E5C4-630D-5403-000000007502}36044444C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:53.706{3AAE424D-E5C4-630D-5403-000000007502}36044444C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:53.706{3AAE424D-E5C4-630D-5403-000000007502}36044444C:\Windows\Explorer.EXE{3AAE424D-EB13-630D-2704-000000007502}6092C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:54.624{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6205D1CFDA67A66D3E966D2728A68429,SHA256=DC8B50CB9819F355D4BF37244065347202394E5859EF0B57801D0C2FC54027BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:54.569{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:54.569{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:54.569{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:51.973{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63210-false10.0.1.12-8000- 23542300x800000000000000039519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:55.724{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F24E085B3192AD0BE5F76B709E8792E,SHA256=F5BF74BA54FBFB3507FC48FCD46321C59A84937226E47B4A393C8077BB5291A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:53.822{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50322-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:55.086{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514228B81EA9439822181B01F5D12A02,SHA256=155F5D4A374E21F0748A8CAEB4E7FF107E76315DFACBF41B54A08CD98FE4BECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:56.825{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47B8981EC7C6587F213163E7B1BD162,SHA256=B4BDAFA3281CD3C1F8304B91DBDF2191E21BDB156DE7F62D300B6B23532F6219,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:56.823{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:48:56.823{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000031633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:56.185{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2743CFEF8C58728C803D2B1DEF88E59B,SHA256=1C40BD8033C15E11C29BF8BEF0CD35213AB44B2FF9C058AA130D9ABF701833FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:57.917{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A0BDEE513CA13B7D4DDD80F1062785,SHA256=F2C735F62549C948F3180FA516AFF9F6B1AD52EF696AA7CF2F441FA68C862C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:57.277{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D56F140C53B5E369CDB5A6F6FA7B91,SHA256=D45809AE3C858B6BC3FD2F6677A0A3A1B79E690E1EF128F44974FC8FBD73ACC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:58.994{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F41AB5720B6A23A16B15E737CC0415,SHA256=40296CAE3B73848D5F7183B0D3CF7529A955CEAB5B37CDAF13827B9EA1977208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:58.378{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E88EFF90393681A66B2D8AA41E1385C,SHA256=AAE17F2497EB6D96136405CDF1A3F604F524789E63599E4DB37324F421E02CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:59.480{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0951DF3CB1AD415A7E51F942134311,SHA256=32FFF2D3D64A9E9CE0514021A4FF4B636BCD6C9805D51D13D64DCCB2B705DD80,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:00.694{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475Binary Data 23542300x800000000000000031639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:00.577{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0569408BFDCFC59FE0FBA64A9A4897E7,SHA256=505936728A4710DAE7177027F583A1C87333BB191F150DD692B9046D6B8212E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:48:57.957{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63211-false10.0.1.12-8000- 23542300x800000000000000039523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:00.073{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F72C2B983F3A43BBD484FBB7E078ED3,SHA256=E8AEBED20FC42797C56C2CC9CF235E95E605E43705E3548A5169C14BD15FDF88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:01.653{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4397F3822F3F4FA2E647123F548C278E,SHA256=7BE614842D85251443D53099A2FB771BA148B8F5F2D270A49C2D19D2A0797ABF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:01.444{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:01.444{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:01.444{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:01.163{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C066E146DDB9511C26406D1160E2BA61,SHA256=FE0218267F52DAB129C69D7A8B85DDE9647FB7E95B0B0AB612520AFB83FA166A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:01.403{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:01.403{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 354300x800000000000000031641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:48:58.876{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50323-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:02.835{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFBD3DEDC0F990974A0B1D6E7679253,SHA256=A86BFC88291CCC7DF372B7CE2BBA68B652F1EB5E05E745A53C6D338908048788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:02.255{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987751B795093C0101EEFD30E9847E4B,SHA256=08925813D8DB194AE6968700407C300DB638926D5E727E04523ECB286DE8BCAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:03.921{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6ADA2FC8F66EAD2A80CD1DCC92871D9,SHA256=C60943F7ED9CFB61603CC83C4557074F8F2CE446B2202E119A31E510A78C2E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:03.343{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A14C047AD69130111DBD719FFD3018B,SHA256=0EC222ADF54055B1C7CAC0D5CE2D08F28C5C06DC1D87B05888F8B5E89A633EC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:03.008{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63212-false10.0.1.12-8000- 23542300x800000000000000039531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:04.430{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37C67EFC402AAFC08F6DEDF475F5474,SHA256=02E981CC9A8F0AC72FCC8293B180272F69217DA29636E33D89033B842DEA5CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:05.516{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B76BC9BD4DEF3631C1A7BC8D7927A9F,SHA256=1D80DB6F821E7B5077746E0A28C7B83D0B24087EDF15942A1DAF0F7ACA75C67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:05.008{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732A8A2B002AE1AC00C978DA92291C2D,SHA256=7FC950C02A97AE7EB8B60F420858A3209E047505A67AB1C49D78506FAA09F39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:06.609{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A48306C59AAA5ACCB684788749E08FA,SHA256=8A48139ADB2577D67A925885612175C15DD5F3876706B40AE09DA28F406330E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:06.096{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3E894ADED779CB68E4192D0A0CA81C,SHA256=6E726BF47C9E8A3BE9034DBE7E1A261B327D692FDF96D5F457CA4C32A4B5F105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:07.696{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28F1BC0C53E716E655736399733C548,SHA256=E7D25CA6AA9C5EF2E79290883DFFA5AE5B30E8F3C560AB7018F1683B2D360AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:07.197{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65826027702249D69E1A1699D99B718,SHA256=7AEDB0A3AA4A72B7E196C4A401CC5E620EFE6BDD52B1596746EFA6ACBF0DAFE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:04.796{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50324-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:08.798{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F80A71D87F5B8E79FB8A751DB84C15,SHA256=825975515F58F094D7402D1C4F7852DA33423CBB6B23A750FC5E3A64B48B65DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:08.300{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC199688B94DC8DFA587472E701521A,SHA256=5B388D1D1FC864A118AD598D823F6797AADD4C21E51DF4CDB1499FE52D92F5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.872{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57BEB0E7854DBF8DA4A2F901DAFDF14,SHA256=5B4C762302712C4F67A3222828E1BBF9122DD9BE8E1888E846572BC452EE066F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:09.390{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D780DA04FA53262BED3B1CA09E1D22,SHA256=0D01DE14381659939492424394E69A69E6DAE12C46618ABFFBDF1EDDF58C1E29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.639{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.632{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.629{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.627{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.625{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.601{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.596{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.577{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.571{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.566{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.557{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.549{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.535{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.527{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.518{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000039540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.511{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.510{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.473{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.470{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000039566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:10.951{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EECE32106297AF0FDD5A808C3E71FC0,SHA256=423AA4325329905CF052765161CD6CCC8EC5AD55811EC3975D9BE31E604A7707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:10.483{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C36F4E8B208A8D029F06881436BC608,SHA256=42C83B75CB8530029B0A89CC0CEE66DAF1E585AF143B16D9690F1D4A1F28BD1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:09.270{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63214-false10.0.1.12-8089- 354300x800000000000000039564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:08.843{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63213-false10.0.1.12-8000- 10341000x800000000000000039563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:10.071{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:10.063{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:10.061{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:10.057{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:10.051{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:10.036{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:10.033{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000031653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:10.145{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-050MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.783{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.781{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.781{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.778{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.754{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.732{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.676{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.668{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.658{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.652{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.650{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.646{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.644{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.641{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.640{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.634{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 23542300x800000000000000031682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.633{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6859E5AA7F9FB615E1EF637DA2711CE8,SHA256=B762B238036E92921F1E09D454EF3E9E0E7E3CE6F296BC2DA1C5836B8A08E831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.627{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.625{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.620{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.619{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.616{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.611{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.603{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.599{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.595{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.582{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.570{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.568{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 23542300x800000000000000031668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.564{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D2DCF3F73C2318D073697FD786BAC6,SHA256=329E750D3FFB3B2534EF9FE7ABB8252969813FD96EA22D162DF87ABA7ECDE2D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.556{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.520{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.514{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.498{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.485{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.464{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.458{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.446{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.427{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.403{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.392{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000031656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.389{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 23542300x800000000000000031655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:11.156{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:12.789{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25187B59A6FDDC3BBA03E3213AEB6CE,SHA256=9FBDCB6BC2C017CC812F04AD5E3013B204520234C11FEB8DED8E2C078EE32A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.916{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.702{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.690{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.665{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.651{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.641{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.634{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.633{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.630{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.627{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.619{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.616{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.615{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.612{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.611{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.610{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.609{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.608{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.607{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.605{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.089{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 10341000x800000000000000039568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.087{BEA5AFC2-E595-630D-7006-000000007402}52725304C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x800000000000000039567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:12.040{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B23A3A3087A5ED782F5712D2726A59C,SHA256=25E437CFFAE0814D7015895AC88ACDB2002A973728B62886436933612DE9D576,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:09.885{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50325-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:13.853{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D8FB92D48737795DF1D8DE25EFD3BE,SHA256=A590AC343EBA17FD7C836C9BF0CE625EAD146A0E9B61558F2AC0B51CA7C35714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:13.245{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB07BAFDEF10377DABC547E425A4C35,SHA256=55B7C1B02CF07AD5F5A107F57571740345B59FBE3C9D556591F14C1BAE30FB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:14.931{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D93E9BF944839028DBDBF2193AC9E57,SHA256=E74618E0464FC9F796A1327D252401CC2B3751765A8A5A1CFF3758E150DBEB4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:13.254{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63215-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:13.254{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63215-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000039616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:14.594{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=602CC479759E3A2D4459A4F1FFBBC5A7,SHA256=1A1B9F566A160E23050E2336A0EF73D3262AB47B15302CA215EA344CC2167490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:14.344{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39D214B55B93D8D659D48ED382E844A,SHA256=0D97043B25449180BC8EDD25F4B56D880EF36C07DDF66F23F35FE2A34869B7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:15.439{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39CA3E34E48BAF6E8852FAEF27945A1,SHA256=173A4E9949F2C75E47313A7F03EE36C197269DC906E85D8C33AC8830D650A3E5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:15.473{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 13241300x800000000000000031720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.457{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.457{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000031718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:15.457{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20,IMPHASH=D1267CC8F49B54A66A0034D2C4452E93trueMicrosoft WindowsValid 13241300x800000000000000031717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.457{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000031716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:15.457{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6A,IMPHASH=52DBB027F849F4DB11CB3C2B56C0E9FBtrueMicrosoft WindowsValid 13241300x800000000000000031715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.457{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.457{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.442{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\@C:\Windows\System32\isoburn.exe,-351Burn disc image 13241300x800000000000000031712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.442{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithProgids\Windows.IsoFileBinary Data 13241300x800000000000000031710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000031703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:15.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x800000000000000039620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:16.534{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB601771C5F4AC0C7147DB68E5341936,SHA256=AD48747AFEA5387A4E242F4D479897A13D7505A34FA846430BB1447ED1A54769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:16.020{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9E3DC0E0E92B0DF7254C2F8EE0E26A,SHA256=A43511C64164F4BC78BDE612D18C94DF7A7C106181E43472BAD933843F704E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:14.822{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63216-false10.0.1.12-8000- 23542300x800000000000000039622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:17.931{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F20F6D24CB643D481A079BF63F0EA35F,SHA256=2B3EDF03D1978AB4E5389FA845D20C3D38002728C38F2EE759FC401887537FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:17.618{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90316435A8C9B185EB630559828E1AAC,SHA256=DEE5441353C65C09E59EAF93752AF0CECB1A6B55AC8E51C23DB38BD8B61AAE5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:15.746{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50326-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:17.113{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4620408BB687C2DDAD15D9339C3D7876,SHA256=945239E84BB167AF3C35BF6CD972902EDB8A801DCA7FC0B79D90D94ABEB230FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:18.719{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7345A1292F195A38F8366FB0E2664ABC,SHA256=9EC86F0AD6EF337197BCDA17F16F743F5CA7B3B1CF63F2DA459173123F196567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:18.207{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F12EBEC29700DCAF4F35D087502BF8,SHA256=F2FA3F6C4003A89451603FE387F1697D08E66EAFC4C8475EE231E6DD03EB7B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:19.812{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DB7B0E01D10BA34774A55F6DD1378F,SHA256=C6AA8CDD6D7F3BF4F02221BC9BCDFE8F4DAB4C6DB5381033A9343D2F3CEDC03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.698{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85CC61D5E956F191FBFA323D2F52FC1,SHA256=6D8BD0C69ADE5438EEC2F97AFBFC127A544995C86DEB7DA2A37F83A7219AA554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.610{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.610{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.610{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.609{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.609{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000031785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.609{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 13241300x800000000000000031784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:19.605{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000004043C\VirtualDesktopBinary Data 13241300x800000000000000031783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:19.571{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000031782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.568{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.566{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000031780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:19.564{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000F02F2\VirtualDesktopBinary Data 13241300x800000000000000031779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:19.564{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000040300\VirtualDesktopBinary Data 10341000x800000000000000031778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.548{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.548{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.548{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.548{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000031773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x800000000000000031772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x800000000000000031770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000031769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7z.dll22.017z Plugin7-ZipIgor Pavlov7z.dllMD5=BBF51226A8670475F283A2D57460D46C,SHA256=73578F14D50F747EFA82527A503F1AD542F9DB170E2901EDDB54D6BCE93FC00E,IMPHASH=4A683D6F78CDDF7C7CDA44D5A4669025false-Unavailable 10341000x800000000000000031767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000031762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000031761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000031757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000031756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.517{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000031754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000031753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x800000000000000031752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000031751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000031750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000031749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000031741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000031738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x800000000000000031737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exeMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7false-Unavailable 10341000x800000000000000031733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-E5C0-630D-4003-000000007502}3152512C:\Windows\system32\csrss.exe{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.502{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7467|C:\Program Files\7-Zip\7-zip.dll+8f1a|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+8e02f|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+18377c|C:\Windows\System32\SHELL32.dll+19e928|C:\Windows\System32\SHELL32.dll+2845c3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+183a20|C:\Windows\System32\SHELL32.dll+180dfe|C:\Windows\System32\SHELL32.dll+81601|C:\Windows\System32\SHELL32.dll+844e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15 154100x800000000000000031727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.509{3AAE424D-EB2F-630D-2804-000000007502}5736C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA1 -i#7zMap3786:38:7zEvent29358C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{3AAE424D-E5C3-630D-A9E7-310000000000}0x31e7a92HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000031726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:19.298{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1809AE7E57A4F1935EBD5C14992283,SHA256=552298B2F08FE3844400F9C04D331D2FB6C7AA00135866D3C61EB00DC0498E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:20.898{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B7252C93EBA493CAFC78B47A683B67,SHA256=5ED2B9875E02DF61F6AFE446DC93D786605AEB0F91BF10959730B3DDC0972C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:20.837{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F8392B0308F434FD11275CE0ABC53D,SHA256=CB614BF428CCF8F5E0856FBD9CFD8083B14F458C87324B63D021A001AFE6BBB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:20.418{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBA41F1B2E4E9002B7A16808EFCCB01,SHA256=38AD475481A7F1DFF8627816813896FF86F062FD671603659E7553CA967278EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:21.992{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0245DF2A882436A5E49F12AE8D16198D,SHA256=2E3F5AD3AFF9B434EBD23440C6548FC741F844F2F367B45CC35B271FE651B1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:21.510{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5571CF4610FDFCEEF62D98A1945087A,SHA256=262F10ADA721502A2D3DAE3483AB8BB560C5505FA5FD051C117F2D2467B41E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:22.590{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B195657E9FBD7DD532872D4318C4495,SHA256=0C055EB1BF79D5894296B4021B5742E1035E77013D808CCA391B0BD34A7AB658,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:20.860{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50327-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:19.953{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63217-false10.0.1.12-8000- 13241300x800000000000000031802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:23.667{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000004043C\VirtualDesktopBinary Data 13241300x800000000000000031801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:23.635{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000031800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:23.635{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000031799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:23.618{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000031798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:49:23.603{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000004043C 23542300x800000000000000031797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:23.571{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57636E99E36B3CEBF51DDD48E43EA571,SHA256=8C10DD7E7DFB64CB8BF5B7CE34FC5308202E69292DE740CFFE76EC3DABAEE09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:23.090{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5CCEA6A772D311147624C1399CDA6A,SHA256=9FF9B59179F2851EC10ED46F82127F44ACD1814F43372E5B110872903A7F6CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:24.654{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59557925F8308F0C8698A506428B56F,SHA256=435D16F832EADCC8F329E3CB8E27AC69F7176CF781116285DBD5DC02D6F988F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:24.660{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B448E9C754228726DD42DFEB45FA2DF,SHA256=B8FC7B4CFB24843DC76709A531CC93B94E3AF79640D6B54A31342E27A94BEEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:24.175{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D88D4D2AC727F6F87C628FEAE7E44E0,SHA256=7630228E811239D851E83EBBC5878DE6A896A45E36BE5EA8601B51C104E88BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:25.862{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509CA3E23EC96F7F02F1DFC7FDBFAB74,SHA256=CE82419FE6701E66E311A78D3E21EF4D5F331DF4EB844A3FD291C16810D5FB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:25.267{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78BCB6C0F48DEFC3793C005857437BE,SHA256=487F8BC5C5A23CE33D9753156AAE66879E09EC0B534A717E0DAEF303B807EAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:26.948{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933E14C040946FD28C14228C02B764F1,SHA256=8D84FBB8B2595E599DE08E885554905ED4146D88ABD14405DCC12E96409C50C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:26.346{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25605C387A5679E91A72D67A8C378AB,SHA256=943F69EF01FEA1811327E73F7237CD5206F854F44B47B40A61F4BC0D18CB6224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:27.448{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886FD1F44C9DA6788399C895CF0BD2DE,SHA256=40547892D77563B3F09C264114B43649D4FFB1AE65C693D3334A84FF390E8C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:27.433{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:28.539{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771AE4B29AC0AC40AEE4DB8670AE6EDE,SHA256=294631465CB8037EB5D95F9FF21E494B509ACCA181A9F148CC0587F66F5A56EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:26.799{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50328-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:28.043{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824997D425278432C53BAD81FE3BE3AC,SHA256=EC719517CB549A2953164E9417AFDA6CFC2ED1C38710FB7A467171B7EAA869DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.640{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.634{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.631{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.630{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.628{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000039650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.626{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB686A476DBC658936548D52DBE67CD,SHA256=F9842D15F50560A3BD2F5B1725AA552F36E1F6977E8DB13D61E3E07E817744A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.604{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.599{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.585{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.579{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.569{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.561{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.554{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.542{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 354300x800000000000000031810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:27.129{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50329-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000031809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:29.129{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560CD7280832E6CE74996E1B997EFB04,SHA256=B7D1DD340F4AEC66CE27BD2CE52F492A637FEDE8A4E11D472E5C9B364EEE494A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.536{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.528{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.521{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.486{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:29.483{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 354300x800000000000000039636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:25.840{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63218-false10.0.1.12-8000- 23542300x800000000000000039663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.579{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5713E744DDDDEAEC2AC3E4D3F193FF8C,SHA256=703FA757C23EE7FC1C99E75E813944562BAC10B495BF3816D8A6E3091FA9EDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:30.213{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F5A8DB9ABBD89F45A229D34CA3E8F9,SHA256=47FEBEBA5B0BB133390247CD8138DC6109783CC39D3F7D5080ABCB8FF8D4119D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.056{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.052{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.050{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.048{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.043{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.027{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.024{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:31.929{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:31.929{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:31.929{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:31.917{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:31.681{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FDCB02C427789E1BE087993B9B91CE,SHA256=4D985B5EBB8FF0D8A09D8AED9A4E6474A44EA8A982AD13A8E63F72C7409B61D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.714{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.712{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.712{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.710{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.695{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.684{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.655{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.645{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.631{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.622{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.620{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.617{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.615{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.613{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.611{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.607{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.605{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.603{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.602{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.600{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.597{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.595{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.590{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.582{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.573{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.570{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.562{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.545{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.543{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.534{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.507{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.500{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.492{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.485{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.464{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.454{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.434{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.421{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.398{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.388{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000031813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.386{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000031812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.290{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2578A6D4277356E8DD3B942F28E55B22,SHA256=0BDA554C473FD0BFB35118F321FCB787D4F3836C4956E1F84B7FF706758594FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:32.647{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89792F8245721A6683AED649BCCEA69,SHA256=351DFD65F9967A9023727C84A3FE2275F3F79DE10A56CEB8B921259359A9E92B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.681{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.673{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.644{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.638{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.628{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.621{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.620{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.617{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.615{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.612{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.610{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.609{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.605{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.604{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.603{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.602{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.602{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.601{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.599{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000039671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.413{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-060MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.090{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000039669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:32.089{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000031865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.726{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA850975DF75C24AC05AAC2276652A98,SHA256=F4B0574175422F740656B73CC1DEEEEA7C6ED25CB300CC929FC8F8E46B8F8F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:33.415{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:33.216{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC5F3C6BAB9FACF28927B6547496A72,SHA256=DD20C9F75335E2F9939C4E6218EAFF7775E9DA2CA01A3632D1790D31C40192AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.656{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.656{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.656{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.648{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000031860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.648{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000031859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.647{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000031858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.643{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000031857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.643{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000031856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.643{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000031855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:33.642{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000031867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:34.813{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169EC5283DCAD06B38557FEBA9726928,SHA256=67B994549192348BF2E135C7164E3979718D2A11FB853C724B1C465C6CC5AA15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:34.406{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067FCC6807D3F69FF8428EBC8C20D361,SHA256=6E3F301C1A19B0737B95DB0B783A13ABAFE69C8B8F9F4955BB2C71871C412A70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:31.903{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50330-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:30.888{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63219-false10.0.1.12-8000- 23542300x800000000000000031868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:35.905{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057FE951608A36C299590ED14F201963,SHA256=9C537938BAF6DA41DB8D7CB2F2F4EE77D178A390FC7D4EBB64AB8E381973CDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:35.501{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2C5AC0A4C9F244548E5DF83AD4CEF0,SHA256=87A5612A94806236277E2D5187480680E02D9560D72DF7D339B7447586DA2CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:36.992{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8263FE741F1FBBECB4D0F839EE8F5DAF,SHA256=1CA4284305B4D30C744E07F255ADA7488C6E6CEB317D437B487C9FEE00689B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:36.603{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED0657665E186284592028A3B64434E,SHA256=2A0ADEAB43CA60F29E5468A8D3CADB8E4AFD78957C95C975A91BED0CA2737B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:37.704{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC125A021851601FEA5D4BA7A5B5C673,SHA256=8A9E92F767FC97D561597152C0787C7BB9D5DFE889E24B675566568C950E2CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:38.798{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4062FB9FB26AE8FD31DA805E81B597,SHA256=C71F617DF32EF142C205B48E4CDF321DBC572E7759B269372D4EF228264A7E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:38.086{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F1C0EB2A3ABE6056039539DE4D7EC8,SHA256=F53D0FE963EA1292CC8ECE1ABE42987B967D61B8D7129CE119C0AAB4B7EEE094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:39.884{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B71DB628D82564D89A45880DA6855C,SHA256=673072AE0DE301547FE238051D1B6123A1C3ED5236B390CDFDFE8269B1F71A46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:36.921{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50331-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000031871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:39.181{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78B0F3685B8928BD24F09F1FFBEFF53,SHA256=74796DA35F574A320E6E22D099F02F3989A0E377ECF9B76368B463132AC65FB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:36.831{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63220-false10.0.1.12-8000- 23542300x800000000000000039701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:40.962{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1118DCDF438A73460B6D3683ABA192,SHA256=C4CADBBA5CE08106EADAFAC38D0000613D7CA75B2507765C33F9E7A9D5C0CA99,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.979{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000031927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.979{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.979{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000031925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.791{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.791{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.791{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.791{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.791{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.791{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.791{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.791{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000031916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000031894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000031892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000031891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000031889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000031888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000031885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000031880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.775{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.777{3AAE424D-EB44-630D-2904-000000007502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:40.269{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E7AEB00D9572AB2696B089CEDF36AE,SHA256=685F8F6DDF90FF862594D575B7955AC38B1A94F3E8E9AA18FC604B23EE230159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.874{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A6023C7B32BE6181690B778D7B0E567,SHA256=05D8AACED98A12BB39BFEAAC65CC3D2C8E42AEE1E7D04A2590118D3CAC369526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.796{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=27E70E249CF288F9196A4A82CDB7A898,SHA256=2AE876A8F2250B37C61B73DA48EF14A839D73F1528EF5B242D7863EA26B89744,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.640{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000031980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.640{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000031979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.624{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000031978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.577{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCF0C3480FF7EE320AD08CDE4706E71,SHA256=B6C0FD7F3CC6270D7677A3E1DBDF83B62ED5997661916BA052EC1CF7895B7BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.577{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31731FB09354607DAE0A1D5D5666E347,SHA256=92AE2C4318B0BBDEF7EF2E70B3ED10FAA09F672B7ECBEF5A8B4925A07935D8FC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000031976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000031975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000031974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000031973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000031972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000031971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000031970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000031969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000031968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000031967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000031966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.468{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000031965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000031964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000031963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000031958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000031957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000031956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000031955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000031954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000031953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000031952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000031951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000031950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000031949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000031948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000031947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000031946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000031945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000031944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000031943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000031942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000031941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000031940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000031935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.452{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:41.453{3AAE424D-EB45-630D-2A04-000000007502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000032087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.968{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000032086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.968{3AAE424D-EB46-630D-2C04-000000007502}53885004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.968{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000032084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.968{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000032083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.874{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFBC240EEA6D7D82362E6E922750A64,SHA256=BE0577F303B098B5A4CC18692D030EE5EE3C1B9A12B26DA7F5EAA84CDEEE4D36,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000032082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.812{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000032081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.812{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000032080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.812{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000032079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.812{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000032078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.812{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000032077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.812{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000032076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.812{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000032075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.812{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000032074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000032073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000032072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000032071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000032070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000032069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000032068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000032067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000032066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000032065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000032064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000032062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000032061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000032060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000032059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000032058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000032057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000032056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000032055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000032054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000032053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000032052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000032051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000032050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000032049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000032048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000032047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000032045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000032044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000032042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.796{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.797{3AAE424D-EB46-630D-2C04-000000007502}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:42.189{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5905C060CEFD27DD16DD9803B0C846F5,SHA256=AC6C63D5043E737DB6367D1BC0A5538A45B0B42DF2446E0D8398B486FE9DCE60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:42.064{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3FDA931C650F1A95B4B34B0BD74991,SHA256=E218EBBB383AB62CA94F15A5E347F936782E50E8EF6D83720740917CF734589D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.431{3AAE424D-EB46-630D-2B04-000000007502}52845528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.431{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000032033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.430{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000032032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.284{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7BD20C76DC08AD395ACB5D03AFA79A,SHA256=0412C14CA50FB2B89F90382C66DFB55065D8BD71C32F8E15F4FF9EB57119D29C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000032031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.155{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000032030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.155{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000032029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.155{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000032028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.155{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000032027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000032026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000032025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000032024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000032023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000032022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000032021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000032020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000032019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.140{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000032018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000032017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000032016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000032015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000032014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000032013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000032012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000032011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000032010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000032009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000032008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000032007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000032006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000032005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000032004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000032003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000032002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000032001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000032000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000031999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000031998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000031997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000031995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000031994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000031993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000031992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000031991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000031990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.124{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.125{3AAE424D-EB46-630D-2B04-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000032136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.879{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000032135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.879{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000032134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.879{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000032133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.862{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000032132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.862{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000032131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.862{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000032130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.862{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000032129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.862{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000032128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000032127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000032126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000032125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000032124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000032123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000032122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000032120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000032119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000032118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000032117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000032116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000032115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000032114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000032113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000032112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000032111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000032110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000032109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000032108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000032107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000032106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000032105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000032104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000032103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000032102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000032101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000032100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000032098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000032097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000032095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000032093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.849{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:43.847{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708F83B500C0C20F7DFF9D943238B89B,SHA256=30F5207ED905805308B94FA3D396DB0ED203228C036C0C643015740078FF50BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:43.159{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C00D555498A65B1DA71976F11B4181D,SHA256=9E532ED56B1D9AC66B56FB33B90FF5585B65E14616B827D3639B4E6471DD3705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.993{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2AE0D07B2F92A5D569B9CA3C934C09,SHA256=1DE6B9A1F4E72D07F2D2E97A8BD1D1A88843EC4755A0F7EE3F65BD67F69AF3CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:41.946{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63221-false10.0.1.12-8000- 23542300x800000000000000039705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:44.352{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF19CA858ED841FCB792B624A5F6216,SHA256=AF5F10A90391E0193192D6C7DE7ECED3C9EA3ED007FD37E51F9354461D579B7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:42.835{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50332-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000032197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.757{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000032196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.757{3AAE424D-EB48-630D-2E04-000000007502}54165328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.757{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000032194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.757{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000032193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.725{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.725{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.725{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.724{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.724{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.724{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000032187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.551{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000032186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.551{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000032185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.551{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000032184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.551{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000032183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.551{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000032182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.551{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000032181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.551{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000032180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.536{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000032179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.536{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000032178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.536{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000032177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.536{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000032176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.536{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000032175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000032174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000032173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000032171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000032170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000032169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000032168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000032167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000032166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000032165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000032164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000032163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000032162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000032161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000032160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000032159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000032158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000032157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000032156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000032155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000032154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000032153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000032152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000032150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000032149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000032147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.520{3AAE424D-EB48-630D-2E04-000000007502}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000032140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.050{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000032139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.050{3AAE424D-EB47-630D-2D04-000000007502}54125276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.034{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000032137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:44.034{3AAE424D-EB47-630D-2D04-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000039707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:45.426{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92E2BE7DA3655F37D059BABA13D606C,SHA256=1B5ACEDA21348A064088E9B552EA107765036D8F67A92FDEB52B4D9EAB10AD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:45.009{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F1CB49B1E638C956C9CA5E2C97C167,SHA256=2E5D513A88594842B3EA472B4896413B8611B8A732246FB84F5AB0E6D06F57F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:46.508{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FE426AAEAB4AD5609F9205E4A80ACA,SHA256=1DCE82E6CD918737EFFAC5AC85B167E02719ACB71C5F5C4017A21EFCA5206B2A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000032252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.293{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000032251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.293{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000032250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.293{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000032249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.120{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000032248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.120{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000032247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.120{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000032246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.120{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000032245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.120{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000032244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.120{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000032243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.120{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000032242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000032241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000032240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000032239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000032238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000032237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000032236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000032235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000032234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000032233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000032232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000032231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000032230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000032229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000032228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000032227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000032226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000032225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000032224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000032223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000032222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000032221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000032220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000032219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000032218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000032217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000032216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000032215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000032213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000032211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000032210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000032208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.104{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.105{3AAE424D-EB4A-630D-2F04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:46.089{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D3625C32D9D18AD9A1DF254E706A3C,SHA256=D2BBA6375554F6873C1C6D80FE33FB2D6DA3FA623B3CF7F0552454D28FBF41E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.607{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB4B-630D-2D07-000000007402}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.607{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.607{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.607{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.607{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.607{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB4B-630D-2D07-000000007402}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.607{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB4B-630D-2D07-000000007402}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.607{BEA5AFC2-EB4B-630D-2D07-000000007402}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.590{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A734241DC5D16E032F5CA36492A954E,SHA256=67530DA33F6F44915183616903F5F7C729BD2BFAF9C500983BDB93DA7112AB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:47.307{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9FA18B72835DF2C148F89D2F8F2B63C,SHA256=B114C21E9B1C16E3BC90EB0DDED05D802523CA140E243EF7F4FD4046A5C4119A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:47.213{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8555678BF85BB8E0849B5A469DA16A,SHA256=D7D7940AD0DA02BEF0D24904A6DFC83BA88E2EBB8BF84CCBA0788EEF565F052A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.947{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB4C-630D-2F07-000000007402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.947{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.947{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.947{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.947{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.947{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EB4C-630D-2F07-000000007402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.947{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB4C-630D-2F07-000000007402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.948{BEA5AFC2-EB4C-630D-2F07-000000007402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.681{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C5338B9258AF5AA9D7815B34ED035D,SHA256=6C6021BEE54F811F503392955D3730F13BC2C9D78B833478A93B02AA0FBB8731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.635{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CEB76C85A92A028D7DCF762AFE161E4,SHA256=43E4861CA8416B92391A21B50963BF473E1887C0976BA46D4FD7022C922F4401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:48.300{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9804B2D1BAD111120DE1AD006E1012B,SHA256=849A8D5C5F6CC78A25B686D5E801E02CB24C0E96F17EDD4848390E50A6959DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.522{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=95F15BC3FEF73C8A6ECF3BCEF1F3307F,SHA256=C511C0060CF3BB450F662DB53E61B0ACC4CF09936289BC6F7B5CF48E1BE67C85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.435{BEA5AFC2-EB4C-630D-2E07-000000007402}56885744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.279{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB4C-630D-2E07-000000007402}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.279{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.279{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.279{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.279{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.279{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EB4C-630D-2E07-000000007402}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.279{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB4C-630D-2E07-000000007402}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.279{BEA5AFC2-EB4C-630D-2E07-000000007402}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:48.107{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6E86B04F88C95CA993CC5F4B786DC91E,SHA256=C33884D9EB879EF1EAC665F272E6271C019420BF540BD7DB21DD64D3B1F63AA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.995{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.994{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.992{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.986{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.972{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.968{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000039766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.855{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE376DD6DCF75686511E74A2A3F55540,SHA256=7CACB1BB1F12606CA35459FC6FEFEBFB72856DC49498825F39F391E8E6E44FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.768{BEA5AFC2-EB4D-630D-3007-000000007402}69967032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000032257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:47.884{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50333-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:49.401{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EAF9B88AB2CC04FF1927A109B47552,SHA256=8B77F2BF347D3516BB43020B97F18C781FFDFE1D853698D954C3AB5EB8843BF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.624{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.618{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.618{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB4D-630D-3007-000000007402}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.616{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.616{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.616{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.615{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.615{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.615{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EB4D-630D-3007-000000007402}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.615{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB4D-630D-3007-000000007402}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.614{BEA5AFC2-EB4D-630D-3007-000000007402}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.614{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.612{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.582{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.577{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.564{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.558{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.554{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.546{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.539{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.529{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.523{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.515{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.509{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.476{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:49.474{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000039784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.837{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A27B01869B925E80433C2DA9F2D674,SHA256=44FB13D16B1B65CD9CABADE99D8A543F6D3FC90BBD0981B148264C3D9B0DA217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:50.597{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D7D9086A734A1C64B15553B00CD84E,SHA256=A4E9A91B37FF0238A688BF39AAD352786FAB759A96E25E408546BC03A35A8597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.744{BEA5AFC2-EB4E-630D-3107-000000007402}70526828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.593{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB4E-630D-3107-000000007402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.591{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.591{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.591{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.591{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.590{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB4E-630D-3107-000000007402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.590{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB4E-630D-3107-000000007402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.590{BEA5AFC2-EB4E-630D-3107-000000007402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000039774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:47.864{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63222-false10.0.1.12-8000- 10341000x800000000000000039773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:50.000{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000039801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.920{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95904C3729D915D548CE6EFBE517F27E,SHA256=54865F933141766E84730A25E834770A70066A5ED50BF058C0037066C2078460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.888{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB4F-630D-3307-000000007402}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.888{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.888{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.888{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.888{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.888{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB4F-630D-3307-000000007402}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.888{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB4F-630D-3307-000000007402}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.889{BEA5AFC2-EB4F-630D-3307-000000007402}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.804{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A576CEEA655E6B16ED6F84901201FC,SHA256=C816E99A6B57F3895E0CA4D13F3E2FC93DF8BF2440821F1C4241A2B52012E835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.789{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9A3412EFA1A0DE00090130A4F1501BA9,SHA256=CAD2C1E3355848AB812192D0F5EB668B1AB3CC6325711F648C82C346159736B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.682{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.681{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.681{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.680{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.663{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.647{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.618{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.612{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000039792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.261{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB4F-630D-3207-000000007402}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.261{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.261{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.261{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.261{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.261{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EB4F-630D-3207-000000007402}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.261{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB4F-630D-3207-000000007402}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.261{BEA5AFC2-EB4F-630D-3207-000000007402}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.599{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.591{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.587{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.582{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.580{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.578{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.574{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.571{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.569{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.569{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.568{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.565{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.564{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.562{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.558{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.551{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.548{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.546{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.534{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.510{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.504{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.490{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.465{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.459{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.452{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.445{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.434{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.425{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.417{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.409{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.398{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.387{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.381{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 13241300x800000000000000032261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:49:51.292{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTimeBinary Data 734700x800000000000000032260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.276{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\System32\svchost.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x800000000000000032259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:51.212{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 354300x800000000000000032306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:50.952{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50334-false208.111.186.0https-208-111-186-0.mdw.llnw.net80http 23542300x800000000000000032305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:52.659{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5150DA0C1EB9598321A26A1743006D,SHA256=E0BD017664A0F8ADA155F8C8188B6999B30C977AF0592DA78A5E7AB16CFC1A56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.632{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.622{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 354300x800000000000000039822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:51.008{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal51089- 10341000x800000000000000039821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.588{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.579{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.566{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.561{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.559{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.557{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.554{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.551{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.548{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.547{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.544{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.543{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.542{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.541{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.540{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.539{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.537{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.032{BEA5AFC2-EB4F-630D-3307-000000007402}66203208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.032{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000039802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.030{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000032307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:53.758{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4C6CCFF913BBF342EEB4990B878C9D,SHA256=22F03B173B55CDCF4C167B656E75A77ECDFDC91CEB0BE50165A7A897D166E8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:53.108{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC65F6618B3A244EC398617C25BBE704,SHA256=02DC8645312EF001A7C5B5431B35EA510161ABE8824604FCD743787046EE0B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:54.952{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A704C9EC2AA49A3FE9946D9DD94E72AE,SHA256=E6EE2D86AD5CD2F220F02C2B33E981A6B33CC807AE5B8FE360CAAB86CB1DC3B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:52.745{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal55901- 23542300x800000000000000039826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:54.200{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066712347901227D8AD8FD7D3621AAB,SHA256=7BBB7BB41011138F90E503E54A42813FC55F96EDD2A785FFDFC64F5C4DC10AA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:53.033{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63223-false10.0.1.12-8000- 23542300x800000000000000039828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:55.296{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F3804A35336B43C3C54F651CF88D8A,SHA256=2D1910C1113580FC463F5EE414A2052B17595D4AE3B6DF1D382F5EF0A7795E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:56.394{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6996C2E740B0B06185BC1FB358D06EA,SHA256=B1CC4F57D1986CB19DA217AD74135702B12EA1512C25B7DA25BB64B81FAA2EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:56.052{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BD2A5C41B5BC45BDF0BA19B4441922,SHA256=07EB9115FEEB6BA5120DA8C9DA8E3FD12FF826DCBE41CA718AA4020F5064D559,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:53.782{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50335-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:57.481{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F442EC5CFFA91A6882924DA4536EF2BB,SHA256=4E84049CCF0B20C1015463DDF6FD2851952DB307B86BE6B63FA22C09E07F1F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:57.138{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639C0ED677F876A44AE973A4413DB8DE,SHA256=5A4E3B9E6D9DD4D546DA46952D2D916808B2D7187DCC68E6C6CBBA908513A31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:58.567{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDBA0A062EDA1991CE52C353B67F81D,SHA256=53C052A2BE8C080CBC3AFA914D4181159B0E2395910895F7448D6864E048B773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:58.219{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565BC9EFEBDDF9090ECBB956D3D22F6B,SHA256=E3A421F24FC34F72DB5F69DFA5467243DACC9722F08939F31395A1E54687002D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:59.639{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800CC04CA1A1E03E1EFF6E508BA03584,SHA256=9BE0FE923C80B23903B29E30FD5670DB11E0B64BC73DBC941B5B6915366462E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:59.315{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90415C950E37FCA6BADCD0609ECCE6C,SHA256=12EA9C3C6DAEACDC1213A71E790675E1483F2D7817E11338C3440A3828938E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:00.725{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B51ADEFC300D878ACFEBEF55F6A032,SHA256=E070BE88B66210806AE3E47507BC207CFE1070D0D7210552F989C2FD138F19B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:00.510{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2CCC1505AD980A27ED6CA7AE4FB7F1,SHA256=DB2B1379C3AE5F47A74C04BABA33AAA0A6FF37D6911010067E909588C05DE72E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:49:58.973{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63224-false10.0.1.12-8000- 23542300x800000000000000039836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:01.819{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1017C3EB526534F46991AD9F5BE9BD,SHA256=E6CA287EE44C5CA26F81986E04E40610E9549E0623291E98287DF8FF61795074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:01.711{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF192769E291ACC5E30E87BB4DE2CDFA,SHA256=080484638A21CF3EC6298CBF8149CFD97CFB035F9E24B793ADFADAF7626EB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:49:58.916{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50336-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:02.912{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5399C0E10936E777C76368E117D54B39,SHA256=7873B31D8087C42676E1300A656300DD44BBE6B96522FFC0BD41A7A01B0A9467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:02.922{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51BEC8FB891A2F6CF1A4E2C8D27E9FF,SHA256=74188D370D05EC667091E9B5E07426F5D7E00EB52F72D4F4053502D5B2190A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:04.225{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F77E56DDEDD3F484248B339EAEE4CE0,SHA256=492B79B119611D8E4DBE54F8E1C6BCE244AE89B79FFD72E4A37F04B153A24B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:04.010{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A29ECF4AB2E1F21E1DF4B1DC1CD1EF6,SHA256=E7A6436FBB73C84D0157C62C7BEAB31FCEC5F9E6ECFEB4B1B6DF90EF37A50821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:05.312{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06C787CC7980BBF876C054D97E84A90,SHA256=F8BDD7E0CA48E03124BB4D850D94BE798AE465C667F09F3EF9B26E4B0F93ECED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:05.109{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C83229D32DD5764776A2A8285387142,SHA256=B473EBDDA7377D4810E99C7E32294FCAB391347F0B43E8A85FC3CF5BFFB4BF39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:04.796{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50337-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:06.404{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964AA1E983DBE3E798C7E9D3FB5274D8,SHA256=882BFC37D0E285913FDA21D31960AF9A4EEBE643D369B2BE60CF006473CFDB73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:04.836{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63225-false10.0.1.12-8000- 23542300x800000000000000039840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:06.197{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F96FF57AF5E177CC02B8E23D737DBC1,SHA256=870060CFCB7563A8EDEACE8BA2FE8C529D1CBF0E864FD71D0E60D221EAC3AF51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:07.601{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7066481311B2B99C705814CA01DB355,SHA256=3EFE86FC5583E0C193EC4D44943DAE2C5BB344F939253F55FDF18B7CF92F36DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:07.299{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B4FB219B97E94C4467BE693BB60370,SHA256=74A66D7D3DE73F75D38AD510A284AAB90D65A8E02A4FB25AE9D2B5F170D025A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:08.702{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF58769D6FD2BE90F64D0420E9D4803,SHA256=986E1AFB85000B6B846944AE460B97C9B4C2C4626DCBB8CD3501DF469E1C2CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:08.396{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3787436D4A50F53B1A63925654390093,SHA256=9BEB01CCBEC6302245941AFB8B6044C042C2E3582C749BC76C562198ADA39923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:09.802{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A4BE01E40B5B70D1930BC812C41BB4,SHA256=4EB8385660019620B18C9A793FDA28143387E9A33424A2B57F2D72F807709E8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.672{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.658{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.656{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.654{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.651{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.612{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.605{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.592{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.585{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.581{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.572{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.566{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.552{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.544{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.535{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000039848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.528{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.527{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000039846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.488{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84FF8492BB5234B25CEEBF4C6AC9DF7,SHA256=1E2AE7559F70BBD78B8FA2A1A4A308CF99CA45103825D4D2754DF3AFB7338D7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.479{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.476{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000032325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:10.895{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD18839BEE2BB67B8F1D338E300DCBAD,SHA256=42B1D25520BE33716AC28002A39218561CBB517F6E69B70F180F69853864F1B8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000039881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003a3435) 13241300x800000000000000039880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0xe4f0975a) 13241300x800000000000000039879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5e-0x46b4ff5a) 13241300x800000000000000039878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc66-0xa879675a) 13241300x800000000000000039877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000039876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003a3435) 13241300x800000000000000039875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc55-0xe4f0975a) 13241300x800000000000000039874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5e-0x46b4ff5a) 13241300x800000000000000039873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:10.969{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc66-0xa879675a) 354300x800000000000000039872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.286{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63226-false10.0.1.12-8089- 23542300x800000000000000039871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:10.528{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFF2A19E7F66C9C77498874A77E59D8,SHA256=620D7FC2B35E4AA5444506C4FC931E65CB8F4BEF9145A3BA380FAECCB675EC65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:10.124{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:10.119{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:10.118{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:10.116{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:10.111{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:10.098{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:10.094{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000032372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.968{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E5F21BB55FF50002502377CA7BE3DC0B,SHA256=22418B42DBCB96F9AA71CA8DA19865FAEF3465E6AC71F025DC2102C316E3A412,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:09.897{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63227-false10.0.1.12-8000- 23542300x800000000000000039883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:11.624{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016CA21A2F99A8681CADE9A2E160E177,SHA256=41728E05C844CB259F4DDA193713E563651F116E0D86AE8C2305E9DE36031A10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.765{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.763{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.763{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.759{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.737{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.721{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.680{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.672{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 23542300x800000000000000032363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.663{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-051MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.651{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.647{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.644{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.639{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.635{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.632{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.631{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.623{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.622{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.621{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.618{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.614{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.612{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.608{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.602{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 13241300x800000000000000032347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:11.599{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000032346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.588{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 13241300x800000000000000032345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:11.588{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000032344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:11.588{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000032343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.579{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.577{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 354300x800000000000000032341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:09.934{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50338-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000032340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.570{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.556{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.554{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.544{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.499{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.487{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.476{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.458{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.445{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.439{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.424{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.417{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.396{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.388{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000032326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:11.386{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000039906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.758{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.750{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.729{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.721{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.712{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000039901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.708{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FCB4841F63EBCA5C500ADC333EC009,SHA256=31DAD09F8D8AE0F805E96B3DF4CA3039FE90D6DD9BFD4BB52C013A8BAF5D2836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.707{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.706{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.704{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.701{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.699{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.696{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.695{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.692{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.691{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.689{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.688{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.687{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.687{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.684{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000032378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:12.667{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:12.260{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DE528FF993D55B31673B01A88B152A,SHA256=D9FEAACA26550D27D6DA278CB8A0345D75EF991D8B2FA5C6BC49B16494F3596A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:12.092{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:12.092{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:12.087{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:12.087{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000039886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.167{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000039885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:12.167{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000039911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.777{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C7786C73CA6CBB204D32E27422520A,SHA256=53C715E9DE7C23BAACA519E2DC7670B899011883948A6120F00039BFAFCA817B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:13.055{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEF020445C5456A29EFC3A11C8363CC,SHA256=80B0F0D85494975EE481719ECCFF43C5C39FABCF28A44EEDC3F5E3C3E8600F7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.580{BEA5AFC2-DC7F-630D-0B00-000000007402}640808C:\Windows\system32\lsass.exe{BEA5AFC2-DC7D-630D-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000039909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.580{BEA5AFC2-DC7F-630D-0B00-000000007402}640844C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.470{BEA5AFC2-DC7F-630D-0B00-000000007402}640844C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.470{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.360{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63235-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000039928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.360{BEA5AFC2-DC7D-630D-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63235-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local445microsoft-ds 354300x800000000000000039927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.357{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63234-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local49666- 354300x800000000000000039926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.357{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63234-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local49666- 354300x800000000000000039925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.356{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63233-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local135epmap 354300x800000000000000039924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.356{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63233-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local135epmap 354300x800000000000000039923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.259{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63232-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.259{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63232-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.254{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63231-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.254{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63231-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000039919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:14.863{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D6F34A7158DFA44C1EF88E8DDAB8AC,SHA256=65715A17722736A5708ADA5B4AE31CB24521734A7AFD63CF66DC98B3FE466C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:14.140{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C41E14316EB3890DE47577BC99739A,SHA256=33CDFB045368C1A90D4DD8AF144FF67908941EC7573DA8FE441215ABD7EC911C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.247{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63230-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.247{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63230-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000039916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.247{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63229-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local49666- 354300x800000000000000039915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.247{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63229-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local49666- 354300x800000000000000039914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.246{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63228-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local135epmap 354300x800000000000000039913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:13.246{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63228-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local135epmap 23542300x800000000000000039912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:14.534{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B1AE34DD7CB874213025843633FEF74,SHA256=B80FDF028EB7C4F062F14A3C59B0C65324097B16B5245697A489EBAF6E6FE865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:15.964{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF9A06058B8340DB5E3A7B08BF752D5,SHA256=49CD0BEADF01D20B21302AEA3E38FC77CA797C8725B80C44334ABA3B3E7D2820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:15.239{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78343FBAAE77AAA4D51A8B5DF643461D,SHA256=DE12E0857D41872DD0FB58793C9881FA3FF2AB3382B763F21668D16D3A0F925D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:16.320{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F9E793B3FBB388D4845559ED8AE3AE,SHA256=2078CA69FD9D5E4814874C09C34619F68EA779926E23C6F304BC2028601F35EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.934{3AAE424D-DEE3-630D-1400-000000007502}864NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\INF\nettun.PNFMD5=9C829193535C38B0D6DFAF5A6B7BDBD7,SHA256=64684372A3A2325AF0516701594BC7DDA938C09DBC8FF5A325D7DF2402E7EF37,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000032807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.836{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8,IMPHASH=21CAA202FAEFBDF78B727F64E8C79245trueMicrosoft WindowsValid 734700x800000000000000032806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.795{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DmApiSetExtImplDesktop.dll10.0.14393.0 (rs1_release.160715-1616)DmApiSetExtImplDesktopMicrosoft® Windows® Operating SystemMicrosoft CorporationDmApiSetExtImplDesktop.dllMD5=89A2945D9F03BD5CE4FE786FC3FA01AC,SHA256=ECBF426E75A3C954374FA4FD3F815FCD24D30FE2550013FCBA03C57CCB7EEB7B,IMPHASH=F22ED554FF218C026E48028F37750A4EtrueMicrosoft WindowsValid 734700x800000000000000032805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.792{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\iri.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)iriMicrosoft® Windows® Operating SystemMicrosoft Corporationiri.dllMD5=AF8D35DD59781A0C1A1CE0D8792E330C,SHA256=CC67A743C34143F13B9D7265A0FDD4BC23505E9DA8B9F25D7D2CFB25FD67CDC1,IMPHASH=B26982DFF0E4AE83D00B3545D5FED9C7trueMicrosoft WindowsValid 734700x800000000000000032804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.791{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmxmlhelputils.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)dmxmlhelputilsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmxmlhelputils.dllMD5=D736BB34651B8B66B58135B00BC73A9E,SHA256=433472EB2A0F30B3B3DB906AA09DA241775747087329FBA4270F14C213D344F0,IMPHASH=293AA2BB000D78CD59C3BAF9BC49B2D1trueMicrosoft WindowsValid 10341000x800000000000000032803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.856{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.856{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.856{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.855{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000032799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.791{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\omadmapi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)omadmapiMicrosoft® Windows® Operating SystemMicrosoft Corporationomadmapi.dllMD5=EF8BD33B59DC278706C5DDD4198865EA,SHA256=D333877C5C468AF921D3FE7E072A686020AE4140C0828C8C61D7786399D48C2C,IMPHASH=94B167A43001FFF7EC77F71C980396E0trueMicrosoft WindowsValid 10341000x800000000000000032798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.852{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.852{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000032796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.789{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmcfgutils.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)dmcfgutilsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmcfgutils.dllMD5=5BB823D136C74E3AEB50A2F8FD1AB3D3,SHA256=22DDB2DB95C4BC76AEDD4527E4F1FD2E3DF6A617442977B05C2876A91F0DEE4D,IMPHASH=D7125ED03B1CA2FDB19DB95B8732B900trueMicrosoft WindowsValid 734700x800000000000000032795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.847{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000032794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.789{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmcsps.dll10.0.14393.2608 (rs1_release.181024-1742)dmcspsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmcsps.dllMD5=3E2BE79AA01A983FE8E292BE943A145C,SHA256=CDFCC3B473CD671530926E08ECFE26C3BEB19AE995C63B5BDD7759BEB01EF74B,IMPHASH=62D6AA3FE203382F5057A220DB8A43A5trueMicrosoft WindowsValid 10341000x800000000000000032793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.840{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.838{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.838{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.838{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.838{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.838{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.837{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.784{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmenrollengine.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Enroll Engine DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdmEnrollEngine.dllMD5=28CFC1B053DE56ECAE3B0BB333B261DC,SHA256=F9F5E714B95D28AD8F23F80B6A28C98AA728CADEF90578B5309DBEBB87CDE2B6,IMPHASH=59187E09031CC2CA39C447F4A8D5439FtrueMicrosoft WindowsValid 734700x800000000000000032785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.776{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\enterpriseresourcemanager.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)enterpriseresourcemanager DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationenterpriseresourcemanager.dllMD5=0302E3FE61103E007ACF38D3F07D55A0,SHA256=AC171FD434FB589664C3636D31E51AC96971A9E59CA251CA039A518D3E857C56,IMPHASH=C2EA5291AD083C4C02F0C3CA7E4C7677trueMicrosoft WindowsValid 734700x800000000000000032784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.775{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmoleaututils.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)dmoleaututilsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmoleaututils.dllMD5=58F5C38F979C23E9C3A8D6EFA7A01CE5,SHA256=C7A6A9B121CC95F906EDEDEFF1CD5C3E8D51295F149982DE66DA6AD73DB79C06,IMPHASH=EA4F317317CF2C0BAD0CECCE4D647BFCtrueMicrosoft WindowsValid 23542300x800000000000000032783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.802{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2587AF953252149BDC7EAF3F294295C0,SHA256=D2D30753801F1030C55B783EF7904EE38E0B06A96413B6AF746F287C7D3361D1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000032782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.774{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmiso8601utils.dll10.0.14393.0 (rs1_release.160715-1616)dmiso8601utilsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmiso8601utils.dllMD5=2F40C02593E583ADB3A6C6A6A25E0C49,SHA256=0C0A3221B34778274D7808379015DEEBB76B3B8524C01F75105B0C3D44750C2F,IMPHASH=33346501635D371F04B783022D96229EtrueMicrosoft WindowsValid 734700x800000000000000032781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.773{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\configmanager2.dll10.0.14393.4169 (rs1_release.210107-1130)ConfigManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationconfigmanager2.dllMD5=C2DB188E223282022D7475373B4DA96F,SHA256=F19CDC4A555243E2492351EBF5CC0B30E53654DD7D80F7D0884AE3C9CBEAC5E3,IMPHASH=6A70C4F51ACF7D21F90F8C54B7DA1389trueMicrosoft WindowsValid 734700x800000000000000032780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.751{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x800000000000000032779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.756{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.755{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.753{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.753{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.752{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.752{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.748{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x800000000000000032772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.711{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmipcima.dll10.0.14393.0 (rs1_release.160715-1616)WMI Win32Ex ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationWMIPCIMA.dllMD5=BE602701F8F2E4CAFB7E68B1C15C9459,SHA256=8D6F52ACDC1FAB76654A09F47035B7810C874445D78DCF1BAD9A5AA70179A29C,IMPHASH=C82FCFB5894FF642454DE7F93087ED3AtrueMicrosoft WindowsValid 734700x800000000000000032771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.697{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x800000000000000032770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.714{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000032769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.695{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\schedcli.dll10.0.14393.0 (rs1_release.160715-1616)Scheduler Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSCHEDCLI.DLLMD5=9565E2180ACA12EC2DAAF237568BB7FF,SHA256=450DEFF97BA11F320372CADABDFEE221D4821652DB14CBE2B2AC22DE6F212C2D,IMPHASH=A26C66511F0E88DB089794819D0C920BtrueMicrosoft WindowsValid 734700x800000000000000032768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.712{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000032767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.712{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000032766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.711{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4003-000000007502}3152C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.711{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4003-000000007502}3152C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.709{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0800-000000007502}488C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.709{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0800-000000007502}488C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.708{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0800-000000007502}488C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.708{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0800-000000007502}488C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.708{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0800-000000007502}488C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.708{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0800-000000007502}488C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.706{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0500-000000007502}408C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.706{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0500-000000007502}408C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000039931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:17.056{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAB5B98654320BDB2406821243852DE,SHA256=F60628CB84203C54510AFCDB25911E3912CA24D5B6A096D5B37C130660240BFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.706{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.706{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.706{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.706{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.705{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.705{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.705{3AAE424D-DEE2-630D-0B00-000000007502}6245608C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.692{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\logoncli.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=4D97A8DA0BF104134C81170C31EA5A69,SHA256=5A85BD08422227F07863837184163A289AE288FC9BD07389AA5C3BFB0A627888,IMPHASH=38941DF5102FFD817983A19701DCDF2AtrueMicrosoft WindowsValid 10341000x800000000000000032748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.702{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.702{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.700{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.700{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.699{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.699{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.697{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.697{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.697{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.697{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.697{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000032737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.696{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7,IMPHASH=E4AC0A0BD42B7356347D6A1BE150F6A6trueMicrosoft WindowsValid 734700x800000000000000032736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.695{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 10341000x800000000000000032735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.695{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.695{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.695{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.695{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000032731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.676{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 10341000x800000000000000032730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.689{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.689{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000032728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.678{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000032727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.676{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000032726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.674{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 10341000x800000000000000032725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.662{3AAE424D-DEE2-630D-0B00-000000007502}6245608C:\Windows\system32\lsass.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.659{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.659{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.659{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.659{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.659{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.659{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.659{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.623{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\schannel.dll10.0.14393.5125 (rs1_release.220429-1732)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=6E1B17C60BE7B7BB5D75BDB52B84B18C,SHA256=281F48D64784B48E0AAA6C3D5EC429C055977A3E65E818F5C8A3F8163ABBB264,IMPHASH=D9603397C5B04530FFA0321E70FF2308trueMicrosoft WindowsValid 10341000x800000000000000032702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.658{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.657{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.657{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.657{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.657{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.657{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.651{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000032695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.648{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000032694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.646{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.646{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 13241300x800000000000000032692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.641{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeGeneric 13241300x800000000000000032691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.641{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeDocuments 10341000x800000000000000032690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.637{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.637{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000032688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.621{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\security.dll10.0.14393.0 (rs1_release.160715-1616)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=0C05DA5BB5C6841C6290F64CA34F1CBD,SHA256=9C48F8D23D42C3CAF06938C2B8AAFCB51E4BE879BA21578FDD9B9D6635F1C0D8,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.622{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000032686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.614{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\winbrand.dll10.0.14393.4530 (rs1_release.210705-0736)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=79E4DAD0DB8F0D1258F7092007354241,SHA256=DDFCF94DA71C8F49DC505F2FC94540037A0955BE831BF59C34BFBB62A998FB20,IMPHASH=2C424150D7AE913E28B879B06042C9F2trueMicrosoft WindowsValid 734700x800000000000000032685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.577{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\updatepolicy.dll10.0.14393.4169 (rs1_release.210107-1130)Update Policy ReaderMicrosoft® Windows® Operating SystemMicrosoft CorporationUpdatePolicy.dllMD5=09B15E89229BF856D0DF5A32967E334F,SHA256=A59504806F0C8C8DA001C74C7DE5014E5C00281919CE248BE6D8486209609C24,IMPHASH=ABBCF620F7BD887BB2E35E503FFFD1EEtrueMicrosoft WindowsValid 734700x800000000000000032684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.564{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wuuhext.dll10.0.14393.4651 (rs1_release.210911-1554)Windows Update Agent plugin for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationWuUhExt.dllMD5=FFFD20D96B8CF0A6836B023F8820DBA7,SHA256=25BA569D9ADB008A1248F7E4B8F93A3536FDB58C6CDF91BD4ECEA81D26FD9ED1,IMPHASH=0442FA1D3DECD2B29D4EF5178DCCD5E1trueMicrosoft WindowsValid 23542300x800000000000000032683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.605{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7AD96C6D75E625AD1A61886A4763B868,SHA256=40616394C5A214793CA50BD1F48EF5F5CE7167B2F4E56BA724D872E17272ADCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.602{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.602{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.602{3AAE424D-DEE2-630D-0B00-000000007502}624672C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000032679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.601{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000032678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.593{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x800000000000000032677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.492{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\esent.dll10.0.14393.3686 (rs1_release.200504-1524)Extensible Storage Engine for Microsoft(R) Windows(R)Microsoft® Windows® Operating SystemMicrosoft Corporationesent.dllMD5=372653326F31FCCA92A05331BCC8C95D,SHA256=B300AF0A4651A44C4D7D344033EB6317480CEF6F9E24BE1B34DA75A1B00C1807,IMPHASH=637BF97067C7F0AB1E14497F0B9878AAtrueMicrosoft WindowsValid 734700x800000000000000032676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.580{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\msxml6.dll6.30.14393.5291MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=A362CCDBE82A110E864A59410B1C450F,SHA256=D05D510E37824ADF4917CA1F5BCD4F19F48B9664B2188C2CAD14481B6F7E0CC9,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x800000000000000032675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.571{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wups.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Update client proxy stubMicrosoft® Windows® Operating SystemMicrosoft Corporationwups.dllMD5=7E4B645F484BAD4755E78095AD20DF56,SHA256=586FD2DC6DC6E3B58CB270EB60E93FF1A3FF3ABB4B8D2C3D7E09FE36043AA4AB,IMPHASH=B7F2DD54801ACA766CD9BF302D1C0E9BtrueMicrosoft WindowsValid 13241300x800000000000000032674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.566{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Power\FirmwareForcedInstall-FinalDWORD (0x00000023) 13241300x800000000000000032673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.566{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Power\ContinueInstallAtShutdown-FinalDWORD (0x0000000a) 13241300x800000000000000032672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.566{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Power\OfferInstallAtShutdown-FinalDWORD (0x00000028) 13241300x800000000000000032671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.565{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Power\Firmware-FinalDWORD (0x0000001e) 734700x800000000000000032670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.564{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 23542300x800000000000000032669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.556{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28B4AC3E44CF6CEE975835103B8936C,SHA256=D03369D67BDCF39D3F7B0625D5783EEF36C030D7A8FD335B06504ECFD8E38DE4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.519{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0432\VirtualDesktopBinary Data 734700x800000000000000032667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.458{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wups2.dll10.0.14393.4104 (rs1_release.201202-1742)Windows Update client proxy stub 2Microsoft® Windows® Operating SystemMicrosoft Corporationwups2.dllMD5=A58988DAC28CECA6A7A88876F2C9AA49,SHA256=55AA65930A8CD53BB8E78176D5FDEA784CDB8360129A2C84C1001DA980F81C90,IMPHASH=DCB0F5330FAB4AA3F51E2E86EFE0D5DEtrueMicrosoft WindowsValid 734700x800000000000000032666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.438{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wuaueng.dll10.0.14393.4651 (rs1_release.210911-1554)Windows Update AgentMicrosoft® Windows® Operating SystemMicrosoft Corporationwuaueng.dllMD5=664FA6A69D8B239A6922285CCC950012,SHA256=75D90B6F8E3CDD19B46082AA7A89B2FDFFAB48CDD79ACB42131E381C023F83EC,IMPHASH=88F142D5F2E5EF1A7D0ED2ADCCEE44C8trueMicrosoft WindowsValid 23542300x800000000000000032665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.461{3AAE424D-DEE3-630D-1400-000000007502}864NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000032664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.456{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wups.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Update client proxy stubMicrosoft® Windows® Operating SystemMicrosoft Corporationwups.dllMD5=7E4B645F484BAD4755E78095AD20DF56,SHA256=586FD2DC6DC6E3B58CB270EB60E93FF1A3FF3ABB4B8D2C3D7E09FE36043AA4AB,IMPHASH=B7F2DD54801ACA766CD9BF302D1C0E9BtrueMicrosoft WindowsValid 10341000x800000000000000032663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.456{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.456{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.456{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.455{3AAE424D-DEE2-630D-0B00-000000007502}6243860C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.455{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.455{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000032657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.455{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 13241300x800000000000000032656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.455{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000032655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.449{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\Explorer.exe.ApplicationCompanyMicrosoft Corporation 13241300x800000000000000032654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.449{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\Explorer.exe.FriendlyAppNameWindows Explorer 23542300x800000000000000032653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.447{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8B257D939AB97088819739EB4B5269,SHA256=527B03345D8182099F8495966F7555CBB8B2A5C56E2892815CA4168EE894B1F7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.446{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000032651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.445{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000032650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.444{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\LangIDBinary Data 12241200x800000000000000032649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.444{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32\cmd.exe.ApplicationCompany 12241200x800000000000000032648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32\cmd.exe.FriendlyAppName 12241200x800000000000000032647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\fsquirt.exe.ApplicationCompany 12241200x800000000000000032646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\fsquirt.exe.FriendlyAppName 12241200x800000000000000032645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\Explorer.exe.ApplicationCompany 12241200x800000000000000032644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\Explorer.exe.FriendlyAppName 12241200x800000000000000032643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32\shell32.dll.ApplicationCompany 12241200x800000000000000032642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32\shell32.dll.FriendlyAppName 12241200x800000000000000032641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32\explorerframe.dll.ApplicationCompany 12241200x800000000000000032640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:17.443{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32\explorerframe.dll.FriendlyAppName 13241300x800000000000000032639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.442{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 23542300x800000000000000032638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.441{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF5AD0D39277BC076E513631D08103E,SHA256=DF2C70B8EFD61733E8537856DFE47E07C01A4DC8C52B0F9317088FE09033135E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.429{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000032636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.429{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000032635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.428{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeGeneric 13241300x800000000000000032634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.428{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListExBinary Data 13241300x800000000000000032633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.428{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlotDWORD (0x00000018) 13241300x800000000000000032632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.428{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000032631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.428{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 13241300x800000000000000032630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.427{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1Binary Data 13241300x800000000000000032629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.427{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000032628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.427{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000032627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000032626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000032625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000032624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000032623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000032622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000032621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000032620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.426{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000032619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000032618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000032617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000032616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000032615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000032614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000032613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000032612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000032611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000032610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000032609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000032608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000032607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.425{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x800000000000000032606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.424{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000032605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.424{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 734700x800000000000000032604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.403{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x800000000000000032603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.414{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 13241300x800000000000000032602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.412{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{0fbb77e6-284a-11ed-abad-02f04dc43d56}\ActiveDWORD (0x00000001) 13241300x800000000000000032601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.412{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{0fbb77e6-284a-11ed-abad-02f04dc43d56}\StagingPathC:\Users\Administrator\AppData\Local\Microsoft\Windows\Burn\Burn 13241300x800000000000000032600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.412{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{0fbb77e6-284a-11ed-abad-02f04dc43d56}\DriveNumberDWORD (0x00000003) 13241300x800000000000000032599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.411{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{0fbb77e6-284a-11ed-abad-02f04dc43d56}\IsImapiDataBurnSupportedDWORD (0x00000000) 13241300x800000000000000032598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.411{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{0fbb77e6-284a-11ed-abad-02f04dc43d56}\Drive TypeDWORD (0x00000011) 734700x800000000000000032597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.409{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wups.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Update client proxy stubMicrosoft® Windows® Operating SystemMicrosoft Corporationwups.dllMD5=7E4B645F484BAD4755E78095AD20DF56,SHA256=586FD2DC6DC6E3B58CB270EB60E93FF1A3FF3ABB4B8D2C3D7E09FE36043AA4AB,IMPHASH=B7F2DD54801ACA766CD9BF302D1C0E9BtrueMicrosoft WindowsValid 734700x800000000000000032596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.408{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wuapi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Update Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwuapi.dllMD5=209544E3592D5AD4426D9031DBB1436B,SHA256=95DD3BD80F9220D70432548C0A42BCED1F1C23B41CAD85A6AB82F0DC7DC83BBB,IMPHASH=2D6BA8DF92E534F3B212A50C2F051C9BtrueMicrosoft WindowsValid 734700x800000000000000032595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.404{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x800000000000000032594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.402{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x800000000000000032593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.400{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 13241300x800000000000000032592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.397{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 13241300x800000000000000032591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.397{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0fbb77e6-284a-11ed-abad-02f04dc43d56}\GenerationDWORD (0x00000001) 13241300x800000000000000032590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.397{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0fbb77e6-284a-11ed-abad-02f04dc43d56}\DataBinary Data 13241300x800000000000000032589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.377{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 734700x800000000000000032588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.361{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\BluetoothApis.dll10.0.14393.5291 (rs1_release.220806-1444)Bluetooth Usermode Api hostMicrosoft® Windows® Operating SystemMicrosoft CorporationBluetoothApis.DLLMD5=B5267EC072EC69EA82EDA8E8DA5DA218,SHA256=043ABA230C42ADF43B0F3695CF052ABF9F9AF08A701F99C65B3705D46BA7B9AB,IMPHASH=565BE656E1DABB7885CE440B41B76C57trueMicrosoft WindowsValid 13241300x800000000000000032587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\SYSTEM\MountedDevices\\DosDevices\D:Binary Data 13241300x800000000000000032586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\SYSTEM\MountedDevices\\??\Volume{0fbb77e6-284a-11ed-abad-02f04dc43d56}Binary Data 13241300x800000000000000032585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8bc5e-0x4ab2e75d) 13241300x800000000000000032584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#\Properties\{4d1ebee8-0803-4774-9842-b77db50265e9}\0004\(Default)Binary Data 13241300x800000000000000032583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#\Properties\{4d1ebee8-0803-4774-9842-b77db50265e9}\0003\(Default)Binary Data 13241300x800000000000000032582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#\Properties\{4d1ebee8-0803-4774-9842-b77db50265e9}\0002\(Default)Binary Data 13241300x800000000000000032581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestampQWORD (0x01d8bc5e-0x4ab2e75d) 13241300x800000000000000032580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 1\DeviceIdentifierPageBinary Data 13241300x800000000000000032579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 1\DeviceTypeCdRomPeripheral 13241300x800000000000000032578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 1\IdentifierMsft Virtual DVD-ROM 1.0 13241300x800000000000000032577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 1\InquiryDataBinary Data 12241200x800000000000000032576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:17.361{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport 13241300x800000000000000032575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.345{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstanceSCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 13241300x800000000000000032574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.345{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\#\Properties\{026e516e-b814-414b-83cd-856d6fef4822}\0006\(Default)Binary Data 13241300x800000000000000032573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.345{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstanceSCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 13241300x800000000000000032572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.345{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x800000000000000032571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000032570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\CountDWORD (0x00000001) 13241300x800000000000000032569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\0SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 13241300x800000000000000032568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumberDWORD (0x00000001) 13241300x800000000000000032567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CapabilitiesDWORD (0x00000062) 13241300x800000000000000032566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\(Default)Binary Data 13241300x800000000000000032565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\(Default)Binary Data 13241300x800000000000000032564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlagsDWORD (0x00000000) 13241300x800000000000000032563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007\(Default)Binary Data 13241300x800000000000000032562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\AutoRunAlwaysDisableBinary Data 13241300x800000000000000032561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\MinimumIdleTimeoutInMSDWORD (0x00000000) 13241300x800000000000000032560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\DefaultRequestFlagsDWORD (0x00000008) 13241300x800000000000000032559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName@cdrom.inf,%%ISO_Generic_FriendlyName%%;Microsoft Virtual DVD-ROM 13241300x800000000000000032558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\(Default)Binary Data 13241300x800000000000000032557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\(Default)Binary Data 13241300x800000000000000032556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\MatchingDeviceIdSCSI\CdRomMsft____Virtual_DVD-ROM_ 13241300x800000000000000032555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\(Default)Binary Data 13241300x800000000000000032554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006\(Default)Binary Data 13241300x800000000000000032553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\InfSectioncdrom_install_ISO_drive 13241300x800000000000000032552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\(Default)Binary Data 13241300x800000000000000032551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\InfPathcdrom.inf 13241300x800000000000000032550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\(Default)Binary Data 13241300x800000000000000032549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\DriverVersion10.0.14393.5006 13241300x800000000000000032548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\(Default)Binary Data 13241300x800000000000000032547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\DriverDate6-21-2006 13241300x800000000000000032546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\DriverDateDataBinary Data 13241300x800000000000000032545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\(Default)Binary Data 13241300x800000000000000032544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\ProviderNameMicrosoft 13241300x800000000000000032543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg@cdrom.inf,%%genmanufacturer%%;(Standard CD-ROM drives) 13241300x800000000000000032542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\(Default)Binary Data 13241300x800000000000000032541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\DriverDescCD-ROM Drive 13241300x800000000000000032540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver{4d36e965-e325-11ce-bfc1-08002be10318}\0000 13241300x800000000000000032539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc@cdrom.inf,%%gencdrom_devdesc%%;CD-ROM Drive 13241300x800000000000000032538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Servicecdrom 13241300x800000000000000032537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID{4d36e965-e325-11ce-bfc1-08002be10318} 13241300x800000000000000032536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\(Default)Binary Data 13241300x800000000000000032535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDsBinary Data 13241300x800000000000000032534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareIDBinary Data 13241300x800000000000000032533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001Binary Data 13241300x800000000000000032532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID{00000000-0000-0000-ffff-ffffffffffff} 13241300x800000000000000032531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlagsDWORD (0x00000400) 13241300x800000000000000032530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumberDWORD (0x00000001) 13241300x800000000000000032529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CapabilitiesDWORD (0x00000062) 13241300x800000000000000032528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformationBus Number 0, Target Id 0, LUN 1 13241300x800000000000000032527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006\(Default)Binary Data 13241300x800000000000000032526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 13241300x800000000000000032525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\(Default)Binary Data 13241300x800000000000000032524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDescMsft Virtual DVD-ROM SCSI CdRom Device 13241300x800000000000000032523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\ParentIdPrefix2&1f4adffe&0 13241300x800000000000000032522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.330{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\NextParentID.1f4adffe.2DWORD (0x00000001) 13241300x800000000000000032521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Drivervhdmp 13241300x800000000000000032520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Dma64BitAddressesDWORD (0x00000001) 13241300x800000000000000032519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000032518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{2accfe60-c130-11d2-b082-00a0c91efb8b}\##?#{8e7bd593-6e6c-4c52-86a6-77175494dd8e}#MsVhdHba#1&3030e83&0&01#{2accfe60-c130-11d2-b082-00a0c91efb8b}\DeviceInstance{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01 13241300x800000000000000032517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{2EA9B43F-3045-43B5-80F2-FD06C55FBB90}\Properties\SecurityBinary Data 13241300x800000000000000032516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{2EA9B43F-3045-43B5-80F2-FD06C55FBB90}\NoUseClass1 13241300x800000000000000032515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{2EA9B43F-3045-43B5-80F2-FD06C55FBB90}\NoDisplayClass1 13241300x800000000000000032514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{2EA9B43F-3045-43B5-80F2-FD06C55FBB90}\Classvhdmp 13241300x800000000000000032513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.314{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Device Parameters\StorPort\AdapterGuidBinary Data 13241300x800000000000000032512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000032511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\CountDWORD (0x00000001) 13241300x800000000000000032510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\0{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01 13241300x800000000000000032509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\UINumberDWORD (0x00000001) 13241300x800000000000000032508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\CapabilitiesDWORD (0x00000000) 13241300x800000000000000032507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\(Default)Binary Data 13241300x800000000000000032506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\(Default)Binary Data 13241300x800000000000000032505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\ConfigFlagsDWORD (0x00000000) 13241300x800000000000000032504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007\(Default)Binary Data 13241300x800000000000000032503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Parameters\PnpInterface\5DWORD (0x00000001) 13241300x800000000000000032502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.283{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Parameters\BusTypeDWORD (0x0000000f) 13241300x800000000000000032501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\(Default)Binary Data 13241300x800000000000000032500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\(Default)Binary Data 13241300x800000000000000032499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\MatchingDeviceId{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba 13241300x800000000000000032498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\(Default)Binary Data 13241300x800000000000000032497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006\(Default)Binary Data 13241300x800000000000000032496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\InfSectionvhdmp_inst 13241300x800000000000000032495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\(Default)Binary Data 13241300x800000000000000032494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\InfPathvhdmp.inf 13241300x800000000000000032493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\(Default)Binary Data 13241300x800000000000000032492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.5291 13241300x800000000000000032491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\(Default)Binary Data 13241300x800000000000000032490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\DriverDate6-21-2006 13241300x800000000000000032489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\DriverDateDataBinary Data 13241300x800000000000000032488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\(Default)Binary Data 13241300x800000000000000032487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\ProviderNameMicrosoft 13241300x800000000000000032486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Mfg@vhdmp.inf,%%msft%%;Microsoft 13241300x800000000000000032485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\(Default)Binary Data 13241300x800000000000000032484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\DriverDescMicrosoft VHD Loopback Controller 13241300x800000000000000032483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Driver{4d36e97b-e325-11ce-bfc1-08002be10318}\0003 13241300x800000000000000032482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\DeviceDesc@vhdmp.inf,%%vhdmp.description%%;Microsoft VHD Loopback Controller 13241300x800000000000000032481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Servicevhdmp 13241300x800000000000000032480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.267{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\ClassGUID{4d36e97b-e325-11ce-bfc1-08002be10318} 734700x800000000000000032479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.205{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\newdev.dll6.0.5054.0Add Hardware Device LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationnewdev.dllMD5=D30B8CDEF65A0A47C32B7BC4D5ADEFA4,SHA256=5B5E91A1147984A2B737DF4148855D331C125AC08AFD5B15848DF93097A935D8,IMPHASH=7508604A98EE685995E3E8E988DFE5B1trueMicrosoft WindowsValid 734700x800000000000000032478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.204{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DeviceDriverRetrievalClient.dll10.0.14393.4169 (rs1_release.210107-1130)Device Driver Retrieval ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceDriverRetrievalClient.dllMD5=7C461ED06FD994B8A3E57404D5B8FCBA,SHA256=6F6AB2AB4EC262F4C904B4BCDCC7891B45FDFBEF8AFC79C95503631BB269C2A8,IMPHASH=3A87CE9B8344DC9851F27E20EA15274AtrueMicrosoft WindowsValid 734700x800000000000000032477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.188{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DevPropMgr.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Device Property ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationDevPropMgr.DLLMD5=DA1E3744D62D328893EA0A0C173DA6D8,SHA256=00C5A7703BE29FF8834F9A53258CF0993A21FDE8E0ECF3EF7C31CA756B8B38D3,IMPHASH=1843E129F1B776D651A7F09F1661FB28trueMicrosoft WindowsValid 734700x800000000000000032476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.205{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 13241300x800000000000000032475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.188{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 734700x800000000000000032474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.172{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DeviceSetupManager.dll10.0.14393.0 (rs1_release.160715-1616)Device Setup ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceSetupManager.dllMD5=7433474BE77F065D2FA628671FE31A3E,SHA256=063ADDC68F48036749E6EC7B2F66284DB29F90F62E9468D16B4EF5A0FDC45E35,IMPHASH=979C904CE62DA00890CC9C29BD894216trueMicrosoft WindowsValid 13241300x800000000000000032473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.188{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0002\(Default)Binary Data 734700x800000000000000032472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\profext.dll10.0.14393.5066 (rs1_release.220401-1841)profextMicrosoft® Windows® Operating SystemMicrosoft Corporationprofext.dllMD5=0DE365C8A142970005720085E49FEF27,SHA256=6BDD23F322FAB172DE012703E769BE7F798964958CA711C8FC1369A0D0464772,IMPHASH=F91E2D82E712880E88119D442066998DtrueMicrosoft WindowsValid 13241300x800000000000000032471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup\SessionNumberBinary Data 13241300x800000000000000032470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x800000000000000032469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x800000000000000032468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\0Binary Data 13241300x800000000000000032467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1Binary Data 11241100x800000000000000032466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-08-30 10:50:17.172 13241300x800000000000000032465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000032464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\(Default)Binary Data 13241300x800000000000000032463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\CompatibleIDsBinary Data 13241300x800000000000000032462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\HardwareIDBinary Data 13241300x800000000000000032461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000032460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01Binary Data 13241300x800000000000000032459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\ContainerID{00000000-0000-0000-ffff-ffffffffffff} 13241300x800000000000000032458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\UINumberDWORD (0x00000001) 13241300x800000000000000032457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\CapabilitiesDWORD (0x00000000) 13241300x800000000000000032456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\LocationInformationVHD Bus 0 13241300x800000000000000032455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006\(Default)Binary Data 13241300x800000000000000032454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 13241300x800000000000000032453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\(Default)Binary Data 13241300x800000000000000032452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\DeviceDescMicrosoft_VHD_ISO_VHBA_01 13241300x800000000000000032451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\ROOT\vdrvroot\0000\ParentIdPrefix1&3030e83&0 13241300x800000000000000032450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\NextParentID.3030e83.1DWORD (0x00000001) 13241300x800000000000000032449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\VersionWS not running 12241200x800000000000000032448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-4D03-000000007502}3876C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017061520170616 13241300x800000000000000032447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-4D03-000000007502}3876C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012022083020220831\CacheLimitDWORD (0x00000001) 13241300x800000000000000032446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-4D03-000000007502}3876C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012022083020220831\CacheRepairDWORD (0x00000000) 13241300x800000000000000032445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-4D03-000000007502}3876C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012022083020220831\CacheOptionsDWORD (0x0000000b) 13241300x800000000000000032444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-4D03-000000007502}3876C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012022083020220831\CacheRelativePathMicrosoft\Windows\History\History.IE5\MSHist012022083020220831 13241300x800000000000000032443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-4D03-000000007502}3876C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012022083020220831\CachePathC:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012022083020220831 13241300x800000000000000032442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.172{3AAE424D-E5C4-630D-4D03-000000007502}3876C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012022083020220831\CachePrefix:2022083020220831: 734700x800000000000000032441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.172{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000032440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.157{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x800000000000000032439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\WpPortingLibrary.dll10.0.14393.0 (rs1_release.160715-1616)<d> DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWpPortingLibrary.dllMD5=9F86158107F4C4A954E1A1594A73E769,SHA256=8D797D0B92ACE4957EDC3380C06D54CC2912896248A2A68E86F83FA0B7A24136,IMPHASH=B4ACDC77E7BA866BD19676ABBA0D0B2FtrueMicrosoft WindowsValid 734700x800000000000000032438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.157{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 13241300x800000000000000032437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.157{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso\MRUListExBinary Data 13241300x800000000000000032436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.157{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso\0Binary Data 13241300x800000000000000032435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.157{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\0Binary Data 11241100x800000000000000032434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.157{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\notes.iso.lnk2022-08-30 10:50:17.157 734700x800000000000000032433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\Windows.System.Launcher.dll10.0.14393.4886 (rs1_release.220104-1735)Windows.System.LauncherMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.System.Launcher.dllMD5=7ED19A9D5A5247B32B502763E8D83731,SHA256=127243F0E56E1A210F1CABDA9EB1FCFC59CEF192BF06F21BD06BD1D662C29EC4,IMPHASH=2FCCF9E601F23A043E51DA1E837A3065trueMicrosoft WindowsValid 13241300x800000000000000032432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.157{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithProgids\Windows.IsoFileBinary Data 734700x800000000000000032431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000032430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000032429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000032428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x800000000000000032427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000032426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000032425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000032424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000032423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000032422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x800000000000000032421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000032420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\dsclient.dll10.0.14393.0 (rs1_release.160715-1616)Data Sharing Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdsclient.dllMD5=68B9D02A469519C6BFD9F39854EE8E62,SHA256=A7646650AB50D076DBBC6E9B767565DDA71B078814BC2071BA525F118B861883,IMPHASH=F148E4E0D3E37883A6CAB6CEE53CA685trueMicrosoft WindowsValid 734700x800000000000000032419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.141{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000032418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000032415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000032414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000032413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000032412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000032410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000032409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000032407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000032406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 13241300x800000000000000032405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.126{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Explorer.exeQWORD (0x01d8bc5e-0x4a8ef628) 13241300x800000000000000032404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.126{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumpListChangedAppIdsBinary Data 734700x800000000000000032403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000032402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000032401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000032400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000032399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-E5C0-630D-4003-000000007502}3152512C:\Windows\system32\csrss.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000032398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000032397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000032396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.126{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.110{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000032394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.110{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.110{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EB69-630D-3004-000000007502}2324C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000032392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.110{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000032391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.110{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000032390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.110{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithProgids\Windows.IsoFileBinary Data 10341000x800000000000000032389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.110{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.110{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000032387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.110{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000032386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.110{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\@%SystemRoot%\system32\shell32.dll,-31478File Explorer disc image mount 13241300x800000000000000032385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.110{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000032384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.110{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithList\a{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Explorer.exe 13241300x800000000000000032383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:17.001{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x800000000000000033045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.897{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EA5E0D8A145E825CA0E7166519AAB6,SHA256=0251CC9AEACC12B36DE5BA6AC57ADCE05F27926A6BC664E920B47A13CE49AE3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.850{3AAE424D-DEE3-630D-1700-000000007502}11721372C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.804{3AAE424D-DEE3-630D-1700-000000007502}11721372C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.766{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 23542300x800000000000000033041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.751{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26B5D593B164118C1753664A6289D12,SHA256=F6D0AEF09AA801E51B6CFB6F8FE2823A2676470B26847AB30C6DBB7C72081472,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.706{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.706{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.705{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.705{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.705{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.705{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.700{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.699{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.699{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.699{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.699{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.698{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.664{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\drupdate.dll10.0.14393.4222 (rs1_release.210113-1739)Driver ServicingMicrosoft® Windows® Operating SystemMicrosoft Corporationdrupdate.dllMD5=89A624107773DCDD4905048FC65B0500,SHA256=5773E23363DDA9CD12CFF5B5892B892658C667A7AB90C1CBD00C7547F76CF2A5,IMPHASH=9040FF7108D68427D5394CE13343182FtrueMicrosoft WindowsValid 10341000x800000000000000033027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.694{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.694{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.693{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.693{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.693{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.693{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.659{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\wcp.dll10.0.14393.5285 (rs1_release.220720-1722)Windows Componentization Platform Servicing APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwcp.dllMD5=098FCD8F20584CEF3037EE3BB696C363,SHA256=475CBA4879776E8FC60B27867C49270F7466962D633DB8D1C025EE0C99A6DB81,IMPHASH=810FFF9123B2800D8B43E0FA2610C401trueMicrosoft WindowsValid 10341000x800000000000000033020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.688{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.688{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.687{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.687{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.687{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.687{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000033014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:15.842{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50339-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000033013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.682{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.681{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.681{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.681{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.680{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.680{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.680{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F54221C2DCA90220CBCE931EC13E2FF,SHA256=64DEAE925D14B5C26D4473D3E2E72DADD264A92DE12E5D451C3A798BBAAE32C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.674{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.674{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.673{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.673{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.673{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.672{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000033000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:18.668{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLowDWORD (0x4b7a5ac0) 13241300x800000000000000032999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:18.668{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHighDWORD (0x01d8bc5e) 10341000x800000000000000032998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.668{3AAE424D-EB6A-630D-3204-000000007502}17524220C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 13241300x800000000000000032997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:18.666{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLowDWORD (0x4b7a0c7b) 13241300x800000000000000032996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:18.666{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHighDWORD (0x01d8bc5e) 734700x800000000000000032995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.622{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\dpx.dll5.00 (rs1_release.220720-1722)Microsoft(R) Delta Package ExpanderMicrosoft® Windows® Operating SystemMicrosoft Corporationdpx.dllMD5=F934BFB193D1DB51C62CAC7BE77BE737,SHA256=59999A2E439641B4F4784F831731EE00B3A0880A63F9BD6A18A13D667E3509F0,IMPHASH=9421E098FA9710C8D7E5671CCB32BBE5trueMicrosoft WindowsValid 10341000x800000000000000032994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.665{3AAE424D-EB6A-630D-3204-000000007502}17524220C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 734700x800000000000000032993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.611{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000032992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.611{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000032991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.611{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000032990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.610{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\CbsCore.dll10.0.14393.5285 (rs1_release.220720-1722)Component Based Servicing Core DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcbscore.dllMD5=DA0C6E70252673D3182F4A36EE7C9D5C,SHA256=730A9D06F52A01AD851A9775B1E21CDA3D4C06F522574D02B1C42B27B3F23D74,IMPHASH=F49499168FF8440390437B748F881E16trueMicrosoft WindowsValid 734700x800000000000000032989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.617{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x800000000000000032988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.613{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000032987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.613{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\sqmapi.dll10.0.14393.0 (rs1_release.160715-1616)SQM ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationsqmapi.dllMD5=D4EBE3E757147E481CF5077084FBB133,SHA256=177FC35DEA1DCE2F851BD94A76CD8C2FE5A91E49C596A0EB842F6AFFA702437E,IMPHASH=690EA16EFC3B778464AC42B8965A26C7trueMicrosoft WindowsValid 734700x800000000000000032986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.612{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000032985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.612{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000032984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.611{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000032983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.611{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000032982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.611{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000032981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.610{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000032980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.592{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\servicing\CbsApi.dll10.0.14393.0 (rs1_release.160715-1616)Component Based Servicing API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcbsapi.dllMD5=176E556358F4F4868397D080CA660F6E,SHA256=A41CED61F2C7E67FE65397F9AC037EF0C720A168C183C647F8FAD07A8DA0B6AE,IMPHASH=0D11D8030B464E83DCB0906249CCB4AFtrueMicrosoft WindowsValid 734700x800000000000000032979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.591{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000032978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.589{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.578{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19trueMicrosoft WindowsValid 734700x800000000000000032976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.588{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000032975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.587{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000032974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.586{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000032973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.585{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000032972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.585{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000032971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.585{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\wdscore.dll10.0.14393.4222 (rs1_release.210113-1739)Panther Engine ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationWDSCORE.DLLMD5=98DE446AA9B3B6CEBE69CD86215D843C,SHA256=2D15FB7CC3A7DB626F3F9522B0C3EF8995919EC9775DA171A5F755A690FDAE97,IMPHASH=00AB7666D5069924B3A434429B57ED1BtrueMicrosoft WindowsValid 734700x800000000000000032970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.583{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000032969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.582{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000032968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.582{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000032967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.582{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000032966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.581{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000032965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.581{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000032964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.580{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000032963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.579{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000032962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.579{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000032961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.579{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.578{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.578{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.578{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.578{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.577{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.575{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 734700x800000000000000032954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.572{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\servicing\CbsApi.dll10.0.14393.0 (rs1_release.160715-1616)Component Based Servicing API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcbsapi.dllMD5=176E556358F4F4868397D080CA660F6E,SHA256=A41CED61F2C7E67FE65397F9AC037EF0C720A168C183C647F8FAD07A8DA0B6AE,IMPHASH=0D11D8030B464E83DCB0906249CCB4AFtrueMicrosoft WindowsValid 734700x800000000000000032953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.572{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\CbsApi.dll10.0.14393.0 (rs1_release.160715-1616)Component Based Servicing API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcbsapi.dllMD5=176E556358F4F4868397D080CA660F6E,SHA256=A41CED61F2C7E67FE65397F9AC037EF0C720A168C183C647F8FAD07A8DA0B6AE,IMPHASH=0D11D8030B464E83DCB0906249CCB4AFtrueMicrosoft WindowsValid 734700x800000000000000032952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.569{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000032951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.566{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.560{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\wdscore.dll10.0.14393.4222 (rs1_release.210113-1739)Panther Engine ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationWDSCORE.DLLMD5=98DE446AA9B3B6CEBE69CD86215D843C,SHA256=2D15FB7CC3A7DB626F3F9522B0C3EF8995919EC9775DA171A5F755A690FDAE97,IMPHASH=00AB7666D5069924B3A434429B57ED1BtrueMicrosoft WindowsValid 734700x800000000000000032949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.565{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000032948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.564{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000032947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.564{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000032946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.564{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000032945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.563{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000032944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.562{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000032943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.561{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000032942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.560{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000032941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.560{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000032940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.551{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4trueMicrosoft WindowsValid 10341000x800000000000000032939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.556{3AAE424D-DEE2-630D-0A00-000000007502}6165084C:\Windows\system32\services.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.555{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000032937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.554{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000032936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.554{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000032935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.554{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000032934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.553{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000032933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.553{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000032932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.553{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000032931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.552{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000032930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.551{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000032929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.551{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000032928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.550{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.550{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.550{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.550{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.550{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.549{3AAE424D-DEE2-630D-0A00-000000007502}616688C:\Windows\system32\services.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.548{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000032921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.546{3AAE424D-DEE2-630D-0B00-000000007502}624672C:\Windows\system32\lsass.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.546{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.546{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.546{3AAE424D-DEE2-630D-0B00-000000007502}624672C:\Windows\system32\lsass.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.538{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.537{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.536{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.536{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:18.242{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=83AFBE3A65EE71E410FB23702886CDC8,SHA256=DDAE623BB6EFD02979AB0FC2D52D9CD40597E8E774F4817D4C6D45166877F65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:18.159{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACB670B78031D8693B3D664F4D3FA70,SHA256=2F8A96941AF5927733EFFAA145AFA7233DEE417C8B8018C7785E6112D1FBD131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.536{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.536{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.531{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.530{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.530{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.530{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.529{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.529{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.525{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.524{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.523{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.523{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.523{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.523{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.517{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.517{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.516{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.516{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.516{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.516{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.389{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.389{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.389{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.389{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.389{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.389{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.373{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.373{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.373{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.373{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.373{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.373{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.373{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5826622D147F54E894C14A576CFD36,SHA256=A742EA3FCB4F7C6B3A5E2510CAF5E75B7EAA1DF86519214AD0F91EC5E4C34C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.373{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0274A0E7AF190940AA7F1AB212F96A25,SHA256=F241577116F9D21A4365E046468A97877FE85B5C9D2AD325B71E77D76E417738,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1B8318A40B7567EEBB44868749AFC1,SHA256=A65ECCDBE21949C6F0C6DAC2011E23194F37660B78490BA76489CB952D36BF80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8055760CA724A6DF522C590F6207BA04,SHA256=6C75A67E4E1BBC5AD7A869873986FB6AF1E2A3918762323A0990F29305765B62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.357{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000032859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.311{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\msi.dll5.0.14393.5192Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=B7A63EC8461AA5F92B1876305DE9800D,SHA256=FA052CEC7744320872CD4CFCBD4F1D56ABBCC67702B832884B8F60F93C191D45,IMPHASH=921305700F902B8CB66358D10709E873trueMicrosoft WindowsValid 10341000x800000000000000032858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.342{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.342{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.342{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.342{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.342{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.342{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.326{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.279{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.264{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.137{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6006C16CDDCD128C6A8256DA96AA773E,SHA256=B10E7EC52B91B4F85C77F25ECABB9D11BC4688E2D076B0B44BBF1A9E9E4AB279,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000032809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:17.997{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dispci.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Display Class InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationDispCI.dllMD5=78287C2EB0594C1FD9657775646CC907,SHA256=F2F5C8F3FE65081E397A6394B328E3175DB0F91B7C067A4D1AB9525869A2B094,IMPHASH=AA1ECEC794AE408F2A32851176A93BE4trueMicrosoft WindowsValid 354300x800000000000000039932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:15.831{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63236-false10.0.1.12-8000- 13241300x800000000000000033093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.918{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000033092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.902{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000033091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.902{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000033090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.887{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.887{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.887{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.887{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000033086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.887{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 13241300x800000000000000033085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.887{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000033084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.887{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000033083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.887{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000033081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000033080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000033079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000033078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0x00000000) 13241300x800000000000000033077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x800000000000000033076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x800000000000000033075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000010) 13241300x800000000000000033074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 23542300x800000000000000039935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:19.251{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1833E0FED72678371574CAC4BB7F2A33,SHA256=A70AC278FDD88C07B59D9E62BF51B80B42DA2A7C1C67FDFCCC5EE93099DEAAC8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000033072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000004) 13241300x800000000000000033071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000033070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000033069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 13241300x800000000000000033068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000033067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:19.871{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 10341000x800000000000000033066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.505{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.505{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.505{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.504{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.504{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.504{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000033060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.481{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789C9AAA597559164C5402B1F9A1DD7C,SHA256=196E68A1948DA75B0B292FF38D128D55A7EEDF76AF0956FD57E3944E99B062DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.467{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.467{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.467{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.464{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.464{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.464{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.462{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.462{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.462{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0A00-000000007502}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.462{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.462{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.462{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.462{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:19.461{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0700-000000007502}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000039937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:20.342{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2532A71B1E345A415D75C05DF6561671,SHA256=A4684CFC639718B20F4109529DAC282F2F95A02EBD2328166283F099CFF0DBB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:18.495{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50340-false20.62.190.190-443https 13241300x800000000000000033143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.676{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000033142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.676{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0050\(Default)Binary Data 13241300x800000000000000033141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.676{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0008\en-USBinary Data 13241300x800000000000000033140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.676{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 23542300x800000000000000033139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.556{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749C888BBD1F875FEDBB8769973DBE74,SHA256=F41E89299841B75005AF9347D5003C5BD1C968BBDCB17FCDFDAB7A9F1197728F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.379{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DeviceMetadataRetrievalClient.dll10.0.14393.4169 (rs1_release.210107-1130)Windows MRCMicrosoft® Windows® Operating SystemMicrosoft CorporationMRC.DLLMD5=4C6C39DEFDCA41A4FD30B2F7532EB22B,SHA256=F482AE4355C9425DBA719E102AC9FE7EBAF352578B6A5ACAA2832CFDC8B8C384,IMPHASH=EA47FF6A9B78646B50C497A73B0D2F90trueMicrosoft WindowsValid 734700x800000000000000033137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.317{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DDORes.dll10.0.14393.0 (rs1_release.160715-1616)Device Category information and resourcesMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceCategories.dllMD5=4D558BCF2062138ADC52D6A9297A9732,SHA256=D03BD3F1B5664492E360851297C0347B1E6973C157343E2B144B343C0FABB14C,IMPHASH=4ADE000E26811AE05A20CE8C732A4112trueMicrosoft WindowsValid 10341000x800000000000000033136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.494{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.493{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.493{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.493{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.493{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.493{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 13241300x800000000000000033130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.379{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 734700x800000000000000033129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.379{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 23542300x800000000000000033128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.301{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983F5EF4B489B18EE6FEADEC66C97F68,SHA256=F5695D1AE12E683E5956432B960C13717F24AAC950488FD5681C11DBBDC4F54A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.191{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000033126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.191{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 13241300x800000000000000033125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.191{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 734700x800000000000000033124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000033123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000033120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x800000000000000033119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000033116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000033115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000033111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000033110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.050{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000033108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000033106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000033102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-E5C0-630D-4003-000000007502}31522300C:\Windows\system32\csrss.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000033101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.035{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 13241300x800000000000000033100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.035{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000033099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:20.035{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 734700x800000000000000033098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.004{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.004{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.004{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000033095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.004{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.004{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EB6C-630D-3304-000000007502}4372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:18.559{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal49742- 23542300x800000000000000039938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:21.429{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60303F9CF7EA63AFF6421E144DB7FD84,SHA256=41A29CA08B7CB43D820AFAA08A64E48AF30A97783901CA00E91CAA83890E3710,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.892{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000033169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.892{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000033168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.876{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.876{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000033166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.876{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000033165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000033164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000033163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000033162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000033161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000033160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000033159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x800000000000000033158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x800000000000000033157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x800000000000000033156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x800000000000000033155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x800000000000000033154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x800000000000000033153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000033152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x800000000000000033151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x800000000000000033150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x800000000000000033149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000033148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:21.830{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 354300x800000000000000033147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.205{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50342-false52.188.50.245-80http 354300x800000000000000033146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.147{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50341-false23.65.245.196a23-65-245-196.deploy.static.akamaitechnologies.com80http 23542300x800000000000000033145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:21.533{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE72CB9B5E8A301B9FCA5CF857118C1,SHA256=F6F419372952C4D55439254AC7B3ADB414AC9FA48E56BDFCC2C288C1DE840DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:22.512{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A73D6FA8DDFA99E2919917430A96F9,SHA256=57A73DF27D8D79D6FF57938B161052F408ABCA61A923BE449DD97D4FE0F88F2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.951{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50346-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000033174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.357{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50345-false23.65.245.196a23-65-245-196.deploy.static.akamaitechnologies.com80http 354300x800000000000000033173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.302{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50344-false23.65.245.196a23-65-245-196.deploy.static.akamaitechnologies.com80http 354300x800000000000000033172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:20.243{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50343-false23.65.245.196a23-65-245-196.deploy.static.akamaitechnologies.com80http 23542300x800000000000000033171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:22.633{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FA81624371C8D698E44EA1C7F39C7E,SHA256=F77515498D82005973BE7E6FDD624BC5E7FE6B0F9CD089BE9BECB5F1A9E5B1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:20.305{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal51591- 354300x800000000000000039940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:20.246{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal56467- 354300x800000000000000039939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:20.183{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal50209- 23542300x800000000000000039945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:23.604{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073A7E646ADBDD72967577480B46DF2B,SHA256=78D483AC25F7826111F718056CB0171B9152187A18BBEC29697D451B9ECFC32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:23.734{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B7736DF9C306F5D6BBFB667DC72F6C,SHA256=A02064CB8D2C699997AFEAAD2BFBD5E1F9A6CA1C256A6444CA281713CA8F3999,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:21.307{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal56664- 354300x800000000000000039943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:21.307{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal53233- 23542300x800000000000000033178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:24.824{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F970E6B450330CE324CAEEEB9F97CE6B,SHA256=B36A59177940D3F6EF367079DADC68A80A469509AFFE1CDEDB20D827A3230E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:24.695{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BC6E3EE1679072CAC85E6DA6217DBA,SHA256=46AEEA8B01260A346ADAC5AF4E3F6381A647BA04486F3DF7AC6BFF546DA3B87B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:21.798{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63237-false10.0.1.12-8000- 13241300x800000000000000033177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:24.094{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0002\(Default)Binary Data 23542300x800000000000000033182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:25.928{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E99401FE9F013BE3A8EE8723AAA143,SHA256=8BA7B552A183A0C6726BCE384B55388F0EEBD417BE4772514E059A41C3AEF096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:25.796{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D970E17E9DE5403196B8591DBA61E81,SHA256=718D799BE65D5761D17EED5CAF23726B03A846D7F022632D7FE2029E78EA7605,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:25.567{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:25.551{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:25.551{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x800000000000000039948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:25.351{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=801A60E94D9B8D3003BFDE504135B9CB,SHA256=4551D4D07BFD4B68CDEA94C35322D66466F985325844BF6A7181DD5E2DE52DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:26.891{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16972A01117324DF7C343D0864D25F4,SHA256=A49312494FE81AC68C9B22440F715E8A8E0D078982FAD71D7E7AC1C30CBA6B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:27.987{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B792DF7842C5292004167BFAB740228,SHA256=CFA3943D7A569CE11E4E57A900BF6848816765866149B502789F58D08BB7A311,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.978{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000033291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.978{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000033290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.973{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.972{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.971{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.970{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.969{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000033285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.969{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 734700x800000000000000033284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:27.968{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 13241300x800000000000000033283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.968{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.960{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000033281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000033280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000033279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000033278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000033277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000033276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000033275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000033274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x800000000000000033273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000033272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000033271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.946{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000033270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.946{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000033269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.946{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 23542300x800000000000000033268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:27.456{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DeviceInterfaceClasses(Empty) 13241300x800000000000000033266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\LowerFilters(Empty) 13241300x800000000000000033265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\UpperFilters(Empty) 13241300x800000000000000033264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\LowerClassFilters(Empty) 13241300x800000000000000033263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\UpperClassFilters(Empty) 13241300x800000000000000033262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\STACKID\driver\cdrom,\driver\vhdmp 13241300x800000000000000033261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\COMPIDscsi\cdrom,scsi\raw 13241300x800000000000000033260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\ExtendedInfs(Empty) 13241300x800000000000000033259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\HWIDscsi\cdrommsft____virtual_dvd-rom_1.0_,scsi\cdrommsft____virtual_dvd-rom_,scsi\cdrommsft____,scsi\msft____virtual_dvd-rom_1,msft____virtual_dvd-rom_1,gencdrom 13241300x800000000000000033258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\BusReportedDescriptionMsft Virtual DVD-ROM SCSI CdRom Device 13241300x800000000000000033257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DriverId00007013ae8bc5f905a6f5751e7c4201b2924d04a622 13241300x800000000000000033256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\ProviderMicrosoft 13241300x800000000000000033255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\ProblemCode0 13241300x800000000000000033254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\ContainerId{27db0821-3bf9-f71a-f96f-a53403857690} 13241300x800000000000000033253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DriverVerVersion10.0.14393.5006 13241300x800000000000000033252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DriverPackageStrongNamecdrom.inf_amd64_3362899763b6c760 13241300x800000000000000033251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\FirstInstallDate08-30-2022 13241300x800000000000000033250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\InstallDate08-30-2022 13241300x800000000000000033249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DriverVerDate06-21-2006 13241300x800000000000000033248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\Infcdrom.inf 13241300x800000000000000033247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DeviceState32 13241300x800000000000000033246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\InstallState0 13241300x800000000000000033245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\Servicecdrom 13241300x800000000000000033244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\Enumeratorscsi 13241300x800000000000000033243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DescriptionMicrosoft Virtual DVD-ROM 13241300x800000000000000033242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\ClassGuid{4d36e965-e325-11ce-bfc1-08002be10318} 13241300x800000000000000033241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\Classcdrom 13241300x800000000000000033240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\MatchingIDscsi\cdrommsft____virtual_dvd-rom_ 13241300x800000000000000033239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\ParentId{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba\1&3030e83&0&01 13241300x800000000000000033238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DriverNamecdrom.sys 13241300x800000000000000033237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\Manufacturer(Standard CD-ROM drives) 13241300x800000000000000033236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\ModelCD-ROM Drive 13241300x800000000000000033235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DeviceInterfaceClasses(Empty) 13241300x800000000000000033234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\LowerFilters(Empty) 13241300x800000000000000033233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\UpperFilters(Empty) 13241300x800000000000000033232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\LowerClassFilters(Empty) 13241300x800000000000000033231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\UpperClassFilters(Empty) 13241300x800000000000000033230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\STACKID\driver\vhdmp,\driver\vdrvroot 13241300x800000000000000033229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\COMPID{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\mscompatiblevhdhba 13241300x800000000000000033228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\ExtendedInfs(Empty) 13241300x800000000000000033227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\HWID{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba 13241300x800000000000000033226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\BusReportedDescriptionMicrosoft_VHD_ISO_VHBA_01 13241300x800000000000000033225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DriverId000093b95467e3b2faa28bb54bec0d80e1dd9d3761b6 13241300x800000000000000033224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\ProviderMicrosoft 13241300x800000000000000033223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\ProblemCode0 13241300x800000000000000033222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\ContainerId{27db0821-3bf9-f71a-f96f-a53403857690} 13241300x800000000000000033221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DriverVerVersion10.0.14393.5291 13241300x800000000000000033220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DriverPackageStrongNamevhdmp.inf_amd64_2b3af30a2972d0c9 13241300x800000000000000033219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\FirstInstallDate08-30-2022 13241300x800000000000000033218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\InstallDate08-30-2022 13241300x800000000000000033217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DriverVerDate06-21-2006 13241300x800000000000000033216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\Infvhdmp.inf 13241300x800000000000000033215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DeviceState32 13241300x800000000000000033214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\InstallState0 13241300x800000000000000033213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\Servicevhdmp 13241300x800000000000000033212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\Enumerator{8e7bd593-6e6c-4c52-86a6-77175494dd8e} 13241300x800000000000000033211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DescriptionMicrosoft VHD Loopback Controller 13241300x800000000000000033210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\ClassGuid{4d36e97b-e325-11ce-bfc1-08002be10318} 13241300x800000000000000033209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\Classscsiadapter 13241300x800000000000000033208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\MatchingID{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba 13241300x800000000000000033207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\ParentIdroot\vdrvroot\0000 13241300x800000000000000033206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DriverNamevhdmp.sys 13241300x800000000000000033205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\ManufacturerMicrosoft 13241300x800000000000000033204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\ModelMicrosoft VHD Loopback Controller 12241200x800000000000000033203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDriverPackage\PermissionsCheckTestKey 13241300x800000000000000033202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDriverPackage\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000033201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDeviceUsbHubClass\PermissionsCheckTestKey 13241300x800000000000000033200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDeviceUsbHubClass\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000033199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDeviceInterface\PermissionsCheckTestKey 13241300x800000000000000033198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDeviceInterface\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000033197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\DriverPackageExtended\PermissionsCheckTestKey 13241300x800000000000000033196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\DriverPackageExtended\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000033195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDeviceMediaClass\PermissionsCheckTestKey 13241300x800000000000000033194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.362{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDeviceMediaClass\WritePermissionsCheckDWORD (0x00000001) 734700x800000000000000033193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:27.347{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 12241200x800000000000000033192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:27.347{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDriverBinary\PermissionsCheckTestKey 13241300x800000000000000033191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.347{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDriverBinary\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000033190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:27.347{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDeviceContainer\PermissionsCheckTestKey 13241300x800000000000000033189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.347{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDeviceContainer\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000033188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:27.347{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\PermissionsCheckTestKey 13241300x800000000000000033187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.347{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{a70812f0-1964-8c05-5aa4-11aab3a866ca}\Root\InventoryDevicePnp\WritePermissionsCheckDWORD (0x00000001) 734700x800000000000000033186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:27.331{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=4AD8F9F4964B64FBF79D463A5DD6EA3E,SHA256=AC4C94B14924434CA3DEFE224E80D3BFD8B4078841C3DF2268C46CF215AB0F1C,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 734700x800000000000000033185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:27.331{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000033184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:27.331{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000033183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:27.017{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7578DDDC21B380C9E386DA5486FD28A,SHA256=933ABF4D018BD26D50747E195954BCECAB1A9F001E0C05116764E133BE50B446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:28.370{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE0DAE390FF7510E79FAA9E5C423124,SHA256=214D40B0C52FF561B60A76FF9DDA22F7BB57043CE259034EF6E920DE97C7349C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:28.370{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA729A711F51C8F4A1BD374D2CCF007D,SHA256=821DCDAFFB392EE29637718C420E3EE4372FB98F3DAAD5A38FC1F7155A4FE70B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:28.040{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000050352\VirtualDesktopBinary Data 13241300x800000000000000033293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:27.994{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 354300x800000000000000033299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:27.152{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50348-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000033298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:26.949{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50347-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:29.133{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82FCB0923B92E74D7CBF81120882DF5,SHA256=87FE0DADCB7221AC3D73C1DA7A2B6B461E3F8260A7CAE363016E66FB9E8EC018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.738{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.726{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.722{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.717{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.714{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.677{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.667{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.649{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.638{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.631{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.621{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.604{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.590{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.581{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.560{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.548{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.486{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.483{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000039953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:29.076{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9922EAF74D06D55CE9ED35142638F817,SHA256=424A3F90EB99060B00B71372BFA54D210534AE3875D8AE711BB009C3F7F67727,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:26.806{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63238-false10.0.1.12-8000- 23542300x800000000000000033316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.217{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D640777660890EC683A072989E5B1E73,SHA256=B0557D85B4871FF95BBAED314FB92A221403D9C6A052226E16343F1C2E60104B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.168{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 734700x800000000000000033314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.137{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\mfc42u.dll6.06.8063.0MFCDLL Shared Library - Retail VersionMicrosoft (R) Visual C++Microsoft CorporationMFC42.DLLMD5=DD361EE0A665F41783E02CEA20285E61,SHA256=457BF44CC1BE99FD74983178AC34E83AEC2ED73DFEE9F9FC7F5F501AD8A6D03B,IMPHASH=5407FE666C5FCACC20F969C8CE05D993trueMicrosoft WindowsValid 13241300x800000000000000033313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:30.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:30.168{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntriesBinary Data 734700x800000000000000033311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.121{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 10341000x800000000000000039979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:30.241{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:30.237{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:30.235{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:30.234{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:30.229{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:30.216{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:30.213{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000039972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:30.119{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1607E8C60C99AC02369F78FE9681DB,SHA256=1BD838F15CC76F6AE6A4560A1150F192ED3067F8E2126096D3390F8107EBDA57,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.090{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\clusapi.dll10.0.14393.4467 (rs1_release.210604-1844)Cluster API LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationclusapiMD5=884A820B75F04674CF5F27870F9FEE27,SHA256=2E33EB1D4EE0E7008FB4ECD49EED3F6CF49B8E5068125DEA2CC771714C0B7C4C,IMPHASH=A18EA9022AC27F1C7E02F74FAE45378EtrueMicrosoft WindowsValid 734700x800000000000000033309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.090{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x800000000000000033308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.074{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\VSSUI.dll10.0.14393.4169 (rs1_release.210107-1130)VSS UIMicrosoft® Windows® Operating SystemMicrosoft Corporationvssui.dllMD5=4EF16A546FC8039DF53BAE622D331408,SHA256=2EB0F9A0410E9F8727160088EAAE83F0E7CB589589104ECF498CAF2CDEABC448,IMPHASH=F6512B0CF52856D74D32E8A71FC546B3trueMicrosoft WindowsValid 734700x800000000000000033307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.090{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 13241300x800000000000000033306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:30.059{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4648F940-EFE3-4BAB-9211-3BE45CD5029D} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 734700x800000000000000033305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.059{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 13241300x800000000000000033304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:30.059{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D6791A63-E7E2-4FEE-BF52-5DED8E86E9B8} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000033303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.043{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.043{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.027{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:30.027{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.783{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.782{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.780{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.779{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.779{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.777{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.759{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.745{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.701{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.686{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.674{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.669{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.667{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.662{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.651{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.645{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.644{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.639{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.638{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.637{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.635{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.633{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.630{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.628{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.620{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.612{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.608{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.603{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.591{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.577{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.574{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.566{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.516{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.510{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.496{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.482{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.472{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.465{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.445{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.437{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.421{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.407{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000033318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.403{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 23542300x800000000000000033317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:31.314{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8085EAB6BFFB57BFADF56706DD1D389F,SHA256=080F340B4C0AF6BF070425D3073CDF90F2C27BB162A1055A98065AA485A42705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:31.920{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:31.201{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E606312C2279191063BACE81AA3AE19,SHA256=4F4758EC2ACF6A6508EDE49155B357BE7C4D6B429E76663B7E43A64F0993B942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.851{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88F2CB59088F0148FB37731BA9BDA1A,SHA256=94F4694FC284DA03C7BA57503314650CF2155B33957FFB2D64175472B19D4723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.836{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC81BFF7CEC483BD7DD0897604F5323,SHA256=D1958EDF8A7C7A4945B759EF49902E461DE9E1383C490E3D5EEF87A0E908684A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.725{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 734700x800000000000000033460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.694{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\BluetoothApis.dll10.0.14393.5291 (rs1_release.220806-1444)Bluetooth Usermode Api hostMicrosoft® Windows® Operating SystemMicrosoft CorporationBluetoothApis.DLLMD5=B5267EC072EC69EA82EDA8E8DA5DA218,SHA256=043ABA230C42ADF43B0F3695CF052ABF9F9AF08A701F99C65B3705D46BA7B9AB,IMPHASH=565BE656E1DABB7885CE440B41B76C57trueMicrosoft WindowsValid 734700x800000000000000033459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.654{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000033458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.653{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.647{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.637{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x800000000000000033455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.635{3AAE424D-DEE3-630D-1400-000000007502}8644068C:\Windows\system32\svchost.exe{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.635{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.633{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 13241300x800000000000000033452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.591{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.591{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000033450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.591{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000033449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.591{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000033448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.591{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000033447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.591{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.591{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000033445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.591{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000033442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000033441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000033440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000033439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x800000000000000033438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000033437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000033436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 734700x800000000000000033435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000033434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.575{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000033431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x800000000000000033429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-E5C0-630D-4003-000000007502}31522300C:\Windows\system32\csrss.exe{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000033428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000033425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6CtrueMicrosoft WindowsValid 10341000x800000000000000040003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.872{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000040002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.864{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000040001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.835{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000040000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.829{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.820{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.815{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.814{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.811{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.809{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.806{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.803{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.802{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.798{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.797{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.797{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.795{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.794{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.793{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.791{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 23542300x800000000000000039984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.288{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F436FA7A155C1DB42D09386A14FA65,SHA256=1AB01E65729824AA9D08717BDB9B2AD37B25299DD1D46EC7253D7418104DBDA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.280{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000039982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:32.279{BEA5AFC2-E595-630D-7006-000000007402}52725524C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438F10) 10341000x800000000000000033423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.568{3AAE424D-EB78-630D-3504-000000007502}5900C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -EmbeddingC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{3AAE424D-E5C3-630D-A9E7-310000000000}0x31e7a92HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000033417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.562{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000033414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.544{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.544{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000033412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.544{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\System32\svchost.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 12241200x800000000000000033411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:32.544{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0fbb77e6-284a-11ed-abad-02f04dc43d56} 10341000x800000000000000033410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.544{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000033409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.544{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\PowerCycleCountDWORD (0x00000000) 13241300x800000000000000033408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.544{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\(Default)Binary Data 13241300x800000000000000033407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.544{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\NextInstanceDWORD (0x00000000) 13241300x800000000000000033406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:50:32.544{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\CountDWORD (0x00000000) 12241200x800000000000000033405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:50:32.544{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\0 12241200x800000000000000033404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:50:32.544{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 1 10341000x800000000000000033403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.529{3AAE424D-E5C4-630D-4A03-000000007502}27681144C:\Windows\system32\sihost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.529{3AAE424D-E5C4-630D-4A03-000000007502}27681144C:\Windows\system32\sihost.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.529{3AAE424D-E5C4-630D-4A03-000000007502}27681144C:\Windows\system32\sihost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.529{3AAE424D-E5C4-630D-4A03-000000007502}27681144C:\Windows\system32\sihost.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.529{3AAE424D-E5C4-630D-4A03-000000007502}27681144C:\Windows\system32\sihost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.529{3AAE424D-E5C4-630D-4A03-000000007502}27681144C:\Windows\system32\sihost.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.529{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000033396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x800000000000000033395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x800000000000000033394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000033393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000033392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000033391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000033390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000033389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x800000000000000033388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000033387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000033386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-DEE3-630D-1400-000000007502}8641244C:\Windows\system32\svchost.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000033383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.513{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000033382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.498{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.498{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.482{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.482{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000033378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.482{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000033377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.482{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.482{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000033375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.482{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.482{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000033373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.482{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.465{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.449{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.418{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000033369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.418{3AAE424D-E5C0-630D-4003-000000007502}3152512C:\Windows\system32\csrss.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000033368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.418{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.418{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.418{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.418{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000033364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.418{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.416{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.414{3AAE424D-DEE3-630D-1400-000000007502}8641244C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.414{3AAE424D-DEE3-630D-1400-000000007502}8641244C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.975{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DDB416818C36A26B6008F976F492CF,SHA256=E721BB1E774736353B8E35156C3A2B5D38568C95F6E75CA16D0BF0BE89A050FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.975{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=674B0AEAC6954AB16CA9D11F08285C7A,SHA256=82AE26401F34F8161FBBE9FF3A29FE78DF0644AA8517F72A444B4910EF001CD0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.650{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000033475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.650{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000033474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.650{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000033473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000033472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000033471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000033470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.643{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:33.938{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-061MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:33.346{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4094693EB6B08532C303BD20C234AFB,SHA256=BF1FABEA70960A5A19BCBB854499AD44918C858213E789C83812667B012842AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.180{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.180{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.180{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.179{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.179{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000033464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:33.179{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB78-630D-3404-000000007502}1708C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000033479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:34.709{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAE8F50D8B80E73104F506A147544C7,SHA256=C4255C60139BD962116E52FC1C297BFD135ED83346A62478BFE75E94978410B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:34.950{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:34.434{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D40BFBA0CE91C6C53E270267B50875E,SHA256=B7FE61287292FC5B31F7FEB708AF7467A72D286D7C027671E43216CE14725517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:31.958{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63239-false10.0.1.12-8000- 23542300x800000000000000033481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:35.914{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A11A87A6F1312B09764CED5C4DE16EA,SHA256=45D9069D54B6E1334F61528A2765312B98403DECDD637B3D4C20DDDB4DDFFCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:35.497{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553C75261300FFA0DF2A4613CD28F4CF,SHA256=7CAC043AE24104399049AE05CE31A93F9B588FE382F281BC88B0257269BE62D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:32.892{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50349-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:36.582{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001236614B03EA7B715689C61BDD2A5A,SHA256=CAA802E2A6CC178FCB9786FA6E9068FB2BA555EEA56BEC72F9C1393794204F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:37.672{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA30FC86FF5737DDE23EC2E3B22DD3F,SHA256=112E745C69A464B72D2129BB080B8D448748B02D243EE1560FE440420D55FE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:37.001{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2318C6EF9768177955D0758ACD6936C,SHA256=A8D38CDA1EB80D622BE4F55830A37C64F4B432D57B800F2853A9E2286427F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:38.765{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0246F4133FA1A350A6F515C3CAED7DCE,SHA256=09D8A33CE97E75AC2EACEFCA942DB4DDD881E713C68F640ABBDE7E60FE13653B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:38.098{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F5015BD7B72D5F1C15ECE8C070A51A,SHA256=84F3C25D003420681AD0558AFFB3617962E1BBC0C07846D02443411C0B7342F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:39.866{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C0EC17700E591FEBFC999845C9DDE0,SHA256=B97CF93638473B366485D02CDD2AF12ABA43C310D5BECB3E8C55EBC6EA8B7C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:39.193{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E470FEF75516E08C1448E6BD88B55EB,SHA256=2D6F74EC07C02C8BDD9BEBE18350DAE564FEAB4ADD6A38B6F2F59F6A17A03E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:40.963{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFD1EA05D00DC61D8F30F83B05AED06,SHA256=7480184C78D00FECB13459BC97F92FDD49DF5F45359C9E662505F69B7E0DA4A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.884{3AAE424D-EB80-630D-3604-000000007502}47044024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.884{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000033534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.884{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000033533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.728{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000033532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.728{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000033531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.712{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000033530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.712{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000033529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.712{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000033528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.712{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000033527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.712{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000033526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.712{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000033525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.712{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000033524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000033523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000033522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000033521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000033520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000033519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000033518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000033517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000033516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000033515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000033514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000033513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000033512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.696{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000033511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000033509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000033506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000033503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000033501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000033497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000033492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.681{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.682{3AAE424D-EB80-630D-3604-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:40.280{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6A058D7B4A5906484E3DEEB3CED38F,SHA256=5349E40C849F478A61E1A67DCBB2B6E9BAC42011F6BDE61F55C6FC8AE6DA6823,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:37.915{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63240-false10.0.1.12-8000- 13241300x800000000000000040016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:50:41.685{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8bc5e-0x5932775e) 23542300x800000000000000033595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.828{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4606E64BE4DC8BD7F061F39025680E9,SHA256=89F2BA3C6EDFFB5B5BC2B34CB6CE502FC312929D5A3F2B2FB054EAA04690F01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.828{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0595DCEBEA1225D2C7C3B31208B73A0,SHA256=F0A1E4CB5C88A09C096BDB55A3D701FF50BF7A5F314779EE464DEC23AE502512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.813{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=56485C1DFEB070860132BE0E0983B506,SHA256=DED44E2E94784ADA24C0A179B835ED871C74B77E970B271AF34F9306D3F58586,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.582{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000033591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.580{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000033590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.580{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000033589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.385{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000033588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.385{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000033587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.385{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000033586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.385{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000033585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.385{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000033584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000033583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000033582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000033581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000033580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000033579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000033574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.370{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000033573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000033572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000033568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000033567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000033566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000033565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000033564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000033563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000033562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000033561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000033560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000033559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000033558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000033556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000033555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000033554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000033553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000033552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000033550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000033549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000033544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.354{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:41.355{3AAE424D-EB81-630D-3704-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:38.733{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50350-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000033704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.888{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000033703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.888{3AAE424D-EB82-630D-3904-000000007502}59364844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.888{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000033701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.873{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000033700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.732{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000033699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.732{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000033698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.732{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000033697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.732{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000033696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.732{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000033695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.716{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000033694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.716{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000033693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.716{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000033692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000033691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000033686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000033685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000033682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000033681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000033679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000033678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000033677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000033676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000033675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000033674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000033672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000033671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000033670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000033669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000033668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000033666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000033665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000033660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.701{3AAE424D-EB82-630D-3904-000000007502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000033653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.545{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x800000000000000033652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.545{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000033651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.545{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000033650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.544{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=4AD8F9F4964B64FBF79D463A5DD6EA3E,SHA256=AC4C94B14924434CA3DEFE224E80D3BFD8B4078841C3DF2268C46CF215AB0F1C,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 23542300x800000000000000033649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.408{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B6B7D2524B255115B0CCFF862613ED,SHA256=3A488C520CE6506DC65D97089323ED2F5C438946EF9CCA978D6180F3DAB30F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:42.197{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5E465C3DCE0C847118B8D264C87B7A11,SHA256=FB0E2386FBE1C3618208865FE5E6D683336CD6E0A2D4095C68C36EA6E41F5DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:42.057{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B0B095780112FEE3B150309CCDDFE6,SHA256=7E91B509B1EE614F2A92039CB32DDC6C67636FA86834713E3CFC53F774E78EDC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.236{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000033647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.236{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000033646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.236{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000033645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.188{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7C75D37A6AB2A76CBBB0E6F6C6945A,SHA256=705BE6981624E1A1EA878DFBE1D170479A3E9F4C10E35EE973D69EC47458882C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.094{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=84EE96E86D7D1C48F99F47FE6556C5A8,SHA256=30C481B4D17FBDA4A0BE8844CC01EE701175FA4926304618476997FED3AD84BC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.047{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000033642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.047{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000033641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.047{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000033640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.047{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000033639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.047{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000033638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.047{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000033637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.047{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000033636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.047{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000033635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000033634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000033629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000033628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000033625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000033623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000033622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000033621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000033620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000033619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000033617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000033616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000033615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000033614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000033613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000033612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000033610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000033609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000033608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x800000000000000033607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000033602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.031{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:42.032{3AAE424D-EB82-630D-3804-000000007502}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000033752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.873{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000033751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.873{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000033750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.873{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000033749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.873{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000033748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.873{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000033747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.873{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000033746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.873{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000033745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.873{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000033744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000033743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000033740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000033738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000033734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000033733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000033731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000033730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000033729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000033728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000033726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000033725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000033724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000033723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000033722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000033721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000033720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000033718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000033717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000033713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000033710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.858{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.859{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.514{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E788C92FD051F2ED00A90C802610A6EE,SHA256=EFEFDDE8C205419638688D4AF1C2BD530C838647A7758854B12E79573986D2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:43.261{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4B85D20AB037C669F3E8E5D91BE020,SHA256=188D9486305E544EFD5DD0C85A506440BFDB1025BFE368865996F0BAD925FCC0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.768{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000033807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.768{3AAE424D-EB84-630D-3B04-000000007502}47204652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.755{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000033805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.755{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000033804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.557{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000033803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.557{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000033802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.556{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000033801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.556{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000033800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.554{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000033799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.554{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000033798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.553{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000033797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.553{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000033796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.544{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000033795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.544{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.543{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.543{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.542{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.542{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000033790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.542{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000033789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.542{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.541{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.541{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000033786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.541{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.540{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000033784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.540{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000033783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.540{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000033782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.540{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000033781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.540{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000033780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.540{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000033779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.539{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000033778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.539{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.539{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000033776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.539{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000033775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.539{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000033774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.539{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000033773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.539{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000033772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.538{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.538{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000033770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.538{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000033769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.538{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 354300x800000000000000040021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:42.940{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63241-false10.0.1.12-8000- 23542300x800000000000000040020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:44.363{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEB668643494D81BA8D68A2B1E3CFC6,SHA256=8E01C6A68394C65C182919BFEB745A63FCD15C055B3C068D23CA5EB5E5A6898A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.535{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.535{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.534{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.534{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.533{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000033763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.533{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.533{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.533{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.533{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.532{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.532{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.532{3AAE424D-EB84-630D-3B04-000000007502}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000033756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.045{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000033755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.045{3AAE424D-EB83-630D-3A04-000000007502}43603984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.045{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000033753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:44.045{3AAE424D-EB83-630D-3A04-000000007502}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000040022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:45.460{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27707CF2C68A79B0618F8195D17C361E,SHA256=724ACBFEBE455B6F553169ADB2EBC3F8C3F3967AD21EA6467739EA85B5368558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:45.082{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8860C2B6704E5C90716FB75848B4C1,SHA256=B203D2008838AB224C96A6923A64EA5A9FB70C50C8E11799A30AD7D755FAECCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:46.556{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B362F9C9A805F2F6730B751C10AD1CF,SHA256=3C08136640269CA7194D978EA9CB914F4488B8CD5EE4243E64221B5AC2AD8CF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:43.821{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50351-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000033861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.334{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000033860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.334{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000033859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.334{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000033858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.188{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD2F1498C0F6B2C00F3B5353DF12541,SHA256=EF7793EE00E88276911DF7E73855AC149884B94DDF0E9778123BC5BE3C871610,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000033857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.125{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000033856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.125{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000033855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.125{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000033854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.125{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000033853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.125{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000033852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.125{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000033851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.125{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000033850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000033849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000033848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000033847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000033846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000033845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000033844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000033843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000033842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000033841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000033840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000033839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000033838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000033837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000033836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000033835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000033834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000033833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000033832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000033831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000033830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000033829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000033828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000033827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000033826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000033825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000033824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000033823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000033821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000033820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000033819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000033818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000033817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000033816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.110{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:46.111{3AAE424D-EB86-630D-3C04-000000007502}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.855{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=44FD2DD433253BDAB9D40C9C3EE8A694,SHA256=44527782B6AD369915F2E15E524C8F72BF85D66CF87DF034EAA3353908C51E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.782{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.782{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.782{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.782{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.781{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.781{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 23542300x800000000000000040033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.644{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA727BFB2D299DE34279106320B036CF,SHA256=8A9287A10F892E64CDA359BD8E69BF7197024E87B7C2BD40C5AE4A7F13813BE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.613{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.613{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.613{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.613{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.613{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.613{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.613{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.613{BEA5AFC2-EB87-630D-3407-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:47.301{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8E482BF79E6ED91F74C8965189F86,SHA256=1B0A0E978C76A893266B764CCE63E360BAA496CF8C5A54D49CDA0E03C04FA4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:47.175{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C09532E4F9CA1C06090361F1EB915D65,SHA256=A7B5808988DB4A8D5933C4F0E120BB91411F5CF2E364A2B9A9E42B63D3090746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:47.565{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=898FDC03445703531D7A2E259ADDBEB8,SHA256=8764EBF9B4DA3F2C6C9E4C99479BDDF1ECD497ED8D4F1F2FD63770EA02073EC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.964{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB88-630D-3607-000000007402}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.964{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.964{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.964{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.964{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.964{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB88-630D-3607-000000007402}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.964{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB88-630D-3607-000000007402}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.965{BEA5AFC2-EB88-630D-3607-000000007402}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.731{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF20E789912B4E630F427D3BCC25DF6,SHA256=143C1A6EF542CF33980B19B7719A8F99760653643D3197023C8A529CFABE35B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.731{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B0D3D6534E68A1B29184075D5E6356,SHA256=C31C55ED9B690418D58B17787A9BA5D0A65817393C71E7A1463A81B4BA0FDA8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:48.347{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154ED5D0E2855B381404593778A0674E,SHA256=5ACE6A68D84C881AF32CCCE2449DA1B20F654E9A5164F3E5921B478A7D2287CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.292{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB88-630D-3507-000000007402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.292{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.292{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.292{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.292{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.292{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EB88-630D-3507-000000007402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.292{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB88-630D-3507-000000007402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.293{BEA5AFC2-EB88-630D-3507-000000007402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.790{BEA5AFC2-EB89-630D-3707-000000007402}4328608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:49.547{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B349557D4C443B3573BB3AD7DF271831,SHA256=C03267AE1052023AA24A88C4C1B4041FD219B3E407075B8AAB8591A8D7437792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.634{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB89-630D-3707-000000007402}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.632{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.632{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.632{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.631{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.631{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EB89-630D-3707-000000007402}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.631{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB89-630D-3707-000000007402}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.631{BEA5AFC2-EB89-630D-3707-000000007402}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.617{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.612{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.609{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.608{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.606{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.584{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.579{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.566{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.559{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.555{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.547{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.541{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.531{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.525{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.517{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.510{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.477{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.475{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:49.121{BEA5AFC2-EB88-630D-3607-000000007402}70205204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.891{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F374F0192F2A77B465E963949178751B,SHA256=BB831C0210975882D67EE952BE069931A2A928CA6D6C4CACE69350874C36CC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:50.637{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A918AB619CF81D70C2ACA2F4894D0601,SHA256=4C0540238864DBBD6B168DBBB14B92D80C2649B2879F3FB55B3E60872D26814F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.744{BEA5AFC2-EB8A-630D-3807-000000007402}2392292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.591{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB8A-630D-3807-000000007402}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.589{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.589{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.589{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.589{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.588{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EB8A-630D-3807-000000007402}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.588{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB8A-630D-3807-000000007402}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.587{BEA5AFC2-EB8A-630D-3807-000000007402}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.133{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE822E5B2CCD3D0056A0252D2C94E61,SHA256=027A951DAB27E45D7054BFFE6A53DC75359A13F3D075CEEF907FE0E6EA594E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.059{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.055{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.054{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.051{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.046{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.033{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:50.030{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000040123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.977{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8B4991466B244E21A8875B77874457,SHA256=9BA05A6684AB15F3018D5E5B1C069FA83977B41476D11C0004A60587942C7C72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.946{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB8B-630D-3A07-000000007402}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.946{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.946{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.946{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.946{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.946{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EB8B-630D-3A07-000000007402}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.946{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB8B-630D-3A07-000000007402}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.947{BEA5AFC2-EB8B-630D-3A07-000000007402}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:48.947{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50352-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.806{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29452D0BD6006A23CC1505F3A921527,SHA256=0289F223CF7CEA8EB170E120C82CB5A30797A1F4E610FE3FD6B48FDC2365EF20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.791{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 23542300x800000000000000033910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.791{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=29BC57C4B5F35D13A0C1F86EB557D67C,SHA256=FB4AE20E2D5169711435925C1C6A26440338E8C20AF64E6254F6DB391D9AF7F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.787{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.773{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.771{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.770{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.768{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.749{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.735{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.689{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.677{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.663{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.653{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 354300x800000000000000040114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:48.940{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63242-false10.0.1.12-8000- 10341000x800000000000000040113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.409{BEA5AFC2-EB8B-630D-3907-000000007402}19444268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.268{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EB8B-630D-3907-000000007402}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.268{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.268{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.268{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.268{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.268{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EB8B-630D-3907-000000007402}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.268{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EB8B-630D-3907-000000007402}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:51.269{BEA5AFC2-EB8B-630D-3907-000000007402}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.648{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.645{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.642{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.637{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.635{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.627{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.625{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.623{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.620{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.613{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.611{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.610{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.603{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.586{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.580{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.578{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.571{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.558{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.550{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.540{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.492{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.478{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.465{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.455{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.436{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.430{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.422{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.414{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.397{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.383{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 10341000x800000000000000033868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:51.380{3AAE424D-E5D3-630D-6803-000000007502}57525844C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880A90) 23542300x800000000000000033914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:52.778{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155D97857C273E129D1C63B1D868C76E,SHA256=C38F5B72FB19D483FF8D826055A27DD6D51972349B7012800E354663A825EE85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.670{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.662{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.642{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.636{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.628{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.623{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.622{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.619{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.615{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.611{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.609{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.608{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.604{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.603{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.603{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.601{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.600{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.598{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.596{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.087{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:52.086{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000033915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:53.873{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA65D224EFD009AAD84C6722726A571,SHA256=EE60D9913CA0B64470BF20399D0074493513A4699A19CB451A9F6EA7AC72F190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:53.340{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600425128BB938FD6068433CE4EA28E9,SHA256=DE3138D423D8970951D8808548D65BCECF3D367DAE9A9789297A8CEEDC503AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:54.950{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB0F85F1528AE4A17F72E6DA4FCF376,SHA256=6CE4DE5A4D5B858FF3C09623BACB9777D7568DA74F5C4BA4278D66EE50F4E36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:54.361{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C13BDF471084023F9BAA872B5FDA975,SHA256=5F9DC3A8AED2793FDBDD255A234EF066EEEFC381611902C26B2BE262A9C40B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:55.448{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1155FE9D82344325C61A396235CCAD,SHA256=1086B9B4DDCF54C3E974482D2C5C4D54F8D08B957DBFA902FE4C63FF10961E2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:54.877{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63243-false10.0.1.12-8000- 23542300x800000000000000040148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:56.548{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731C9E23DB161386571C84B03C74D07E,SHA256=705E331D539306106A63985ABD4943B954DA59352683CB30E4ECE675A6DA5AA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:54.865{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50353-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:56.038{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9C84C59E0CDE5C38AF48D748DCD1BD,SHA256=6BC94FDC96CE7AE9C66A53D852FF94047D17150F2E8C67A01C7171BCC4CCC557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:57.644{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DF91B393E05FDCBF13FBB2C5DF3C5B,SHA256=6ADFBF2EF8DE2F70F8B0ED8D2D0AF5192EBC3932CC4444EE87A4CC32842996FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:57.123{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D8165CDDBF6D108D2FF864F0763625,SHA256=026B87C061F5CA7125B04A680BCB6D17D18182D85F997751F8303EDDEF220761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:58.732{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D604B5EDFCEFEF9878F9AD92AA346F5,SHA256=A77B7FCF8999DEBB1062E9554155693AAF6AE898772C0B207BDE685048516146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:58.211{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E937B6A72016A7CC6D4F2B17B019E6A,SHA256=501790D3F4BCE56DEFEF5444EAE01FC04F64128BACAF19B964E3926C6FBBC9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:50:59.405{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73004BCE2018E94F1AB7C549D5EC023,SHA256=38DD1EE2552914512BFBCD153DF5D2E2277105E2FC350CA3AF9BC1C1FF59FBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:50:59.810{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9253AD94E0B666F7E26CC4B248D91EC4,SHA256=DD94CB3F0CB4D2437F059D24F8D73FEE16233AFF74447DB2A49DCCF5A843DF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:00.726{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838D465F17D29B7C0F9CD6DE2E000C41,SHA256=DFE04516E8392D614F774704817BB6A8E89869703F1A2AC5230EDA39CDDCF5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:00.897{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4729865F60FFD38BD186A4D3FCBB21F8,SHA256=45A28D3E94ACD9101F65CA40B7878CDC58DBD9F2A476B1F68DF38A5F1A7130CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:01.817{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2FE23CAACBB2280F6246798E6B1499,SHA256=14AA36797BEDDE7FB8727CA7A4D247AB2B19C5BCC7CEBEEA1E9AA8A16E38CCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:01.987{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51B0E98EF189FFC671DE99014E13FBC,SHA256=33D0D528C3AA46045BED8EA6DB58E14473A32E49AD20C4D2E2A5F4C43AC378F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:02.911{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC960B499AB63773EFD806EDE387044,SHA256=9DE51EF9265C6318B5439585B8A3E39F04B1E3F47490094E86C04A98F2AAF55B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:00.026{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63244-false10.0.1.12-8000- 23542300x800000000000000033926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:03.992{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BE0CC2E8D9FE4602BF39F1C27167D7,SHA256=D85ED1FEEE32BF2EFF1FAC2B964A0C58F105891494DD4962789F63C48CC3D2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:03.090{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E1F92513BAD71FAA1B0D7EB1A37995,SHA256=7BEDD49CB7658498DFB3C7FD518A1040CA0E5C0E652590F13D54DBF5096A0D1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:00.750{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50354-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:04.180{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5BAB563F167AF56B9934F5C274785B,SHA256=1B3D5DF561E5011FCB91CD05726A0C96088206C947CD9F4E2A5D183E8F3EC033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:05.267{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B98415D8245B8B02F80BF4B7BE82CED,SHA256=B53F03E4204ABD723EE3B2E7B21DCD81329E875DF71E506F995627300E2445A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:05.695{3AAE424D-DEE3-630D-1400-000000007502}864NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=77DF2F814631C5CCED1E88EFBAD53928,SHA256=6D83ABFC1DC2D7DB4E3F855F81BF5EBF184CA7CDC664F7F84B62674965EFD7E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:05.680{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup\LastActiveTimeBinary Data 23542300x800000000000000033927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:05.087{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCFD3F251E7E452E6AE23DEC5573DE7,SHA256=5643FE6A939E829C62F458ED6E3DADAB3C08387555D3A5B65384A218EA0D6B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:06.361{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EB58431A265EC65D9ED2487CF9204F,SHA256=B3875E067BD8C84B41A47D9462CABA3D36EBF5FFF1C1ECD29E72F9F0E8F8E14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:06.728{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DFA45CF61FBE663A4547EC5EA30653AF,SHA256=3AA4A02250BB7BEBB837C7CF994A25C3441CE8B10A7B1173FE514A39BB7502B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:06.180{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09C37418A02722545CADDD949CE9A40,SHA256=42800CC6EF1CD1156B12D30F7E143B37D4E8F70DFAA69ABCF798EDF28D2F23E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:07.462{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0A1AC1BD1DA0C5E6380C8ADA1942FA,SHA256=F3CDABBDEADBC28B05703C66404681A5D5C7ACC0C8FFCB29492C9E3D789DE08B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:07.279{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9241950D3BBC15A82F106B2BD34FB0C2,SHA256=F785E157C2E3F846A9753C9E2FC3E5B9B641B7EDC7678A7A0EC0C99ED5320287,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.898{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000033956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.898{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000033955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.882{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.882{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000033953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.882{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000033952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.851{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000033951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.851{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000033950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.851{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000033949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.851{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000033948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x800000000000000033947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000033946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x800000000000000033945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x800000000000000033944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x800000000000000033943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x800000000000000033942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x800000000000000033941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x800000000000000033940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000033939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x800000000000000033938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x800000000000000033937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x800000000000000033936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x800000000000000033935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:08.835{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 23542300x800000000000000033934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:08.381{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C257E4654E19880369054AC143243C,SHA256=7DD8B20EB53809856460EA811FA13E6813C1F99CDD637300AC5BADA5C7D6D7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:08.556{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317229BA83ED52405FC6ECB6849ED4A5,SHA256=FEC9B494ABDE952F7F84AEB9B08248764043ACDC13C8601F5277061A76FDF68A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:05.917{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63245-false10.0.1.12-8000- 354300x800000000000000033933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:05.907{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50355-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:09.820{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB78978EC1782BF5A6C99140A8F12FFF,SHA256=7B75965548084E4270D2CDBB4641579E27FA31DB29B57D35EDF138F3EF1A126F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000040182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.641{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.634{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.632{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.628{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.625{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000040177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.621{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454790777CB5E94FC7B99493953F0587,SHA256=ED5B9B95A7BE24406BDDAC3A3FEC4A8B6E3D66993B159000D58117B988FC07D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.599{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.594{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.570{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.564{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.558{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 13241300x800000000000000034090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.703{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000033959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.687{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x800000000000000033958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:09.462{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FEE8A81D31085EE80E5723C33BB868,SHA256=6DA932A350BA112AE7E1C8E316118FCE1F0E92346CBB1DDFC08CB5F868E779AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.551{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000040170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.545{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.544{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.535{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.528{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.520{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.513{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.475{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.473{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000034126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:10.576{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC3BB3F8E7E3BD94984D20081B5B5D8,SHA256=9DD5E0D7D7E0F5D41571DEA08091308D415407609AB39FBD9176FE06BCC1A242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:10.667{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838C1A9616C37C50276FF0794211F020,SHA256=4BF4A64E979D1ED5C300C19124931DD52823B0EE018A603F0B6F83D6E675CD23,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.232{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000034124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.232{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000034123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.217{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.217{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.217{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000034120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.201{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000034119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.201{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000034118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000034117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000034116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderTypeDocuments 13241300x800000000000000034115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000034114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000034113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000034112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000034111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000034110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000034109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000034108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000034107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000034106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000034105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x800000000000000034104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x800000000000000034103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x800000000000000034102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x800000000000000034101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000034100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000034099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:10.184{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x800000000000000034098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.995{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000034097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.995{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000034096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.995{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 13241300x800000000000000034095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.995{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000034094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:09.995{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 10341000x800000000000000040189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:10.051{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:10.047{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:10.046{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:10.044{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:10.038{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:10.025{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:10.022{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000034170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.953{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DBE9F24FBA3CD4387BFA392C3B0333,SHA256=C84921758D62EFA6F5034380F10BBCEA8F3B1A16E8CDB5805067B5ED4DEBF979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.703{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.701{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.699{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.698{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000040191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:11.746{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB9F323EF3B1BD5544D9909EA8817C3,SHA256=487EEE76D82A06A3F7FBBC85E489CD735BCE93B7AD7183275A223EEE55FE2957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.697{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.696{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.677{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.667{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.626{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.618{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.607{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.602{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.600{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.597{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.595{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.591{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.590{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.586{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.585{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.584{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.583{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.581{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.580{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.578{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.574{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.569{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.566{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.564{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.557{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.543{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.540{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.529{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.489{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.477{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.459{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.444{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.430{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.425{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.416{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.407{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.399{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.386{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 10341000x800000000000000034127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.383{3AAE424D-E5D3-630D-6803-000000007502}57525848C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880CD0) 23542300x800000000000000034172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:12.845{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78ACFED3E714DCE0404493D9CE3979C1,SHA256=9B59DB70A46003628F2A21196345FC81C5BBAC72D58D390BA35D8B3E78D8CEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.825{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A03B81357995FF5BA77565B71329F0,SHA256=B4603E424F3AB592AFC2BF083AF9359174ACA90494030EC94128444250598B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:12.236{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3042EBABD2D9A8E9997AEA3DED51A8CF,SHA256=B688C11E6D2C365D64596B474661CFE4FB8B0A2D4F043A958DC9D4C13A5AFCD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.687{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.668{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.640{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.634{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.621{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.615{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.613{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.611{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.606{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.604{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.601{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.600{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.597{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.596{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.595{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.594{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.593{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.592{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.590{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 354300x800000000000000040194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:09.303{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63246-false10.0.1.12-8089- 10341000x800000000000000040193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.077{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:12.076{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000040215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:13.938{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA5D30AED2197DB629CE886B2815823,SHA256=9CFDFA3BE0CE0BB49DF5BF06A7A89FE60B82DBBC379303975DD0B57ABD273692,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:13.494{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:13.494{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000034178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:13.494{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B042C\VirtualDesktopBinary Data 10341000x800000000000000034177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:13.479{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000034176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:13.384{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000034175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:13.368{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:13.353{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\chartv.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Chart ViewMicrosoft® Windows® Operating SystemMicrosoft Corporationchartv.dllMD5=A503F84DE81A3F559BB7620764EC843E,SHA256=E43FE5BAD0D27AD9A4F8387C6926C11EBCB895272AD45F7F3A1CCF221EC85EC4,IMPHASH=9F006C4CB45C8FA41AB914F6D399701DtrueMicrosoft WindowsValid 23542300x800000000000000034173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:13.182{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-052MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:14.710{3AAE424D-DEE2-630D-0D00-000000007502}7883620C:\Windows\system32\svchost.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:11.837{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50356-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:14.188{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:14.154{3AAE424D-E5C4-630D-5403-000000007502}3604WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Temp\notes.isoMD5=A7DF3462A6DCE565064CFE408557C4DF,SHA256=1FC7B0E1054D54CE8F1DE0CC95976081C7A85C7926C03172A3DDAA672690042C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:14.112{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B042C\VirtualDesktopBinary Data 13241300x800000000000000034185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:14.073{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000034184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:51:14.073{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B042C 13241300x800000000000000034183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:14.057{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:14.057{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000034181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:14.057{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD57BA0F77BA8BD6C6E72A66C720DB3,SHA256=81CDA969C1456242E02185B918B9266AC0BC4F2B1BBD540C63ED1C5EFFCF15B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:14.755{BEA5AFC2-DC81-630D-0D00-000000007402}9123812C:\Windows\system32\svchost.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:14.519{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83F2FA501BEF6F2632F1476CF3A2551F,SHA256=4D0094E081E4CC0DD4C9CED98D71B40D608521130E6534E9D3A44E922390D2EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:11.912{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63247-false10.0.1.12-8000- 23542300x800000000000000034191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:15.164{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB3C132CA8DAED0AC05A36691EF5534,SHA256=89C0D1E3F36818C096C76462F5B88EA5A893C2EF16F43E559F86A7C36751647A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:15.036{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3166BCA972D90A3FC34934943DD6AC88,SHA256=E2B50F3B34B17A1F4EA3C39E2233848C006FC140970A5B5A8A09BD413FE18656,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:16.672{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000060320\VirtualDesktopBinary Data 23542300x800000000000000034202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:16.625{3AAE424D-E5C4-630D-5403-000000007502}3604WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Temp\apt-ratel-7771846134.zipMD5=8C1E3ABCABD03869945E87B2DB446721,SHA256=DF14DE5C9B453BCA41279E46657BAFB31FFAE092434E7065B8ADB67A1CFB98F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:16.610{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000034200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:51:16.610{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000060320 13241300x800000000000000034199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:16.594{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:16.594{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000034197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:16.266{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746DC993C137F7AFA5B7E1BF4B579FA0,SHA256=B81DE48797A6F632D18B6CB32F97CA7B436D8E92C3BC1C3241B377615D7FEA2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:13.271{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63248-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000040221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:13.271{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63248-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000040220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:16.116{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A40786AC5372D5F931305FFA9636AE,SHA256=05324CE0A169884353BF95AE77E3DCC941C4E849D121145AC850C442ED23AA07,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:16.108{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:16.108{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000034194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:16.108{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000060320\VirtualDesktopBinary Data 13241300x800000000000000034193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:16.108{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000034192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:16.092{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:17.353{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B69B17F33A447A2A7F01D7A1A9E9602,SHA256=6CAA0AEBB5621633D423D828C0F514B2877BCF038D72063D3A4969F0470F7802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:17.825{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=63FDBB754E8F052ABD5D2FF781D577F3,SHA256=04AC1488111DDE7EF74C83AC8F4523D17F9651377CB0138BAF1FC3A21618C833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:17.208{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E74421F178DDCC7133A4567AFB78CA,SHA256=5D41E4C5CA7B2EB6335980A2C7DD370C28703DC70FF73F456B06DCA5275DF67C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:18.909{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTimeBinary Data 734700x800000000000000034206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:18.862{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 23542300x800000000000000034205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:18.455{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBF9B3E38FB9CD6B55D50ABB07CC482,SHA256=0F0986E1755AC2704EA0C8A7FCA7BE4C18E378432C39069B78E88F59561CE906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:18.294{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02252041A038F13DFF32D2E069839999,SHA256=E9877520B8684264D3314661E321A48B0A6F88A149C5F646B587965D517A8249,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:19.860{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:19.860{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000034212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:19.860{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000060344\VirtualDesktopBinary Data 10341000x800000000000000034211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:19.844{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000034210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:19.829{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x800000000000000034209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:19.547{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82989E11E5785B135448343AD5F21414,SHA256=91BD47DA1A97B330CD335F090148903B28F6634F3989492E380A3197E9BC2599,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:17.769{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50357-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:19.410{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDF75779C0704CF188CEE72A0B07C93,SHA256=DCFD989AC01699497DF9893D7D7FFDEDF044DB66254B5905DD72F415160711BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:20.648{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EC7CEAF7C912B38ADB9A413A7B3789,SHA256=E9AC4055820620B17B54E6BAC9AE3386A3B3CE61FA53E498202EDDBBA5EE23E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:20.491{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2290D71BEEE6CAA1793E3CC97208B9,SHA256=A17BD9F9978B0E8F6847013EA6E7252F1A716ACE231595C39CE711F9822E24AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:18.602{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50358-false208.111.186.0https-208-111-186-0.mdw.llnw.net80http 354300x800000000000000040228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:18.658{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal64370- 354300x800000000000000040227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:17.847{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63249-false10.0.1.12-8000- 23542300x800000000000000034217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:21.741{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290CE061993A7932AC7D31635F9FC462,SHA256=B14E64D6FE328B502001C190B31F921DBC5E95C30F2D84E7D0EC89B51612A1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:21.580{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319E21C2F3056577921A286F7B0F285B,SHA256=C4C2F0DEE0980C75F7A61ED85359857C2B494AA8267C979ED5EC435F225F70BE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.892{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.892{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000034244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:22.892{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20,IMPHASH=D1267CC8F49B54A66A0034D2C4452E93trueMicrosoft WindowsValid 13241300x800000000000000034243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.892{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000034242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:22.876{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6A,IMPHASH=52DBB027F849F4DB11CB3C2B56C0E9FBtrueMicrosoft WindowsValid 13241300x800000000000000034241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.876{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.861{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.861{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\fsquirt.exe.ApplicationCompanyMicrosoft Corporation 13241300x800000000000000034237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\fsquirt.exe.FriendlyAppNamefsquirt.exe 10341000x800000000000000034236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:22.845{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:22.845{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:22.845{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:22.845{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000034232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids\CompressedFolderBinary Data 13241300x800000000000000034231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.845{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x800000000000000034223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:22.829{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3832074DB93388D6A931F7BB96811FA3,SHA256=9D235C778DAACEF010E38CC3B842615065E9AE4B4E10A4DE381DF0A60EC72F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:22.681{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B63CAF8F431B22671C990AD5617ADB,SHA256=26D272718C876F8F024A8912642B64CDE376FB6C7DE380645E09C3DB4E4FF084,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.179{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000060344\VirtualDesktopBinary Data 13241300x800000000000000034221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.132{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000034220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:51:22.116{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000060344 13241300x800000000000000034219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.116{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:22.116{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000034247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:23.928{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C15DCCAE2FD0EC7776F7F6C791EFD0F,SHA256=98BFD5CECCD4A5F6D56E189FA95B5D59F3D87D50695DC52A8147E0D09231F9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:23.773{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF74DAF87F87691D380B93F6A8B923B,SHA256=7D023EC06909727DE40A79CA3763646DA23CA65BFDDFAA686796B46A38B66CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:24.863{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F633510AA788AF42CF1CE3B84859FA07,SHA256=A3C4E813273F8AA3BE9709D5ABED9828F41A8AAE51B348AA77223696A0C447AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:25.949{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACD20DEC33154E90CFF2EA2D256BEBA,SHA256=CA4C36DF0C122986F134C0870E89EE8FE7748B4A40AEE994CAA71BACD63AA5E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:22.823{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50359-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:25.036{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322C3B0A5007FD9646C626EC383BD135,SHA256=D7DC463A8AC1A5525FE854D50E7A8A30C8A43E1096F698FB23819F9D00557B39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:23.848{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63250-false10.0.1.12-8000- 23542300x800000000000000034325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.612{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5EEBDED913C70339D0E1138F8A216A,SHA256=6FE18C973D931AE3CB32927BD82E482A4A662E4C3B4E13D8CA0D08A1E6FDBE4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.472{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.472{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.472{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.471{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.471{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.471{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.211{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000034317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:26.179{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:26.179{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000034315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.179{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.179{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.179{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000034312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:26.179{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090344\VirtualDesktopBinary Data 10341000x800000000000000034311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}36041300C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}36041300C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}36041300C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}36041300C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000034306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000034305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.163{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.148{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689F37E0DE22FCFDDD190EC5806EDAD0,SHA256=4C745B9CD0F99392BA271BAAD217CD213E45FEB471000960A7CBCDC793EE36F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:26.148{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080344\VirtualDesktopBinary Data 734700x800000000000000034298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000034297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x800000000000000034296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-DEE2-630D-0B00-000000007502}6245608C:\Windows\system32\lsass.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x800000000000000034294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000034293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-DEE2-630D-0B00-000000007502}6245608C:\Windows\system32\lsass.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000034291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7z.dll22.017z Plugin7-ZipIgor Pavlov7z.dllMD5=BBF51226A8670475F283A2D57460D46C,SHA256=73578F14D50F747EFA82527A503F1AD542F9DB170E2901EDDB54D6BCE93FC00E,IMPHASH=4A683D6F78CDDF7C7CDA44D5A4669025false-Unavailable 10341000x800000000000000034290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-DEE2-630D-0B00-000000007502}6245608C:\Windows\system32\lsass.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.117{3AAE424D-DEE2-630D-0B00-000000007502}6245608C:\Windows\system32\lsass.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 10341000x800000000000000034287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-DEE3-630D-1400-000000007502}8641180C:\Windows\system32\svchost.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000034284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000034283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000034282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000034279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.101{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000034278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000034277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000034276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000034275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x800000000000000034274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000034273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000034272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000034271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000034267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000034264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000034263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.085{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000034260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000034257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exeMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7false-Unavailable 10341000x800000000000000034255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.070{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+8e02f|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+18377c|C:\Windows\System32\SHELL32.dll+19e928|C:\Windows\System32\SHELL32.dll+2845c3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+183a20|C:\Windows\System32\SHELL32.dll+180dfe|C:\Windows\System32\SHELL32.dll+81601|C:\Windows\System32\SHELL32.dll+844e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15 154100x800000000000000034250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:26.078{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap23921:56:7zEvent13782C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{3AAE424D-E5C3-630D-A9E7-310000000000}0x31e7a92HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000040236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:27.051{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2E29751C37536AC3FA50CC38BFCE39,SHA256=BAE6AA1C548575889167EF0921F1F92B4E2ED202495339772C2EEDB4F0B99986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:27.475{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:27.143{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B2DF04840D697ED26E1649A9185E13,SHA256=067E8D31D7FE5141F85879912AC71298E26C9DD3D923DA067F7832F6DA69ADB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:27.127{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E3098E0BBC04CAB6A499555CCD2A7DD,SHA256=1D6ABB70B0E4571791F3AA8ECA4CEFDAA3185E9AA69CE41002EE03C366179B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:28.145{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A97A35DD18B1BBA87C56801DBBFFC19,SHA256=739C7C272E6DE4478B70FF70B605FCED89ECC63D4E911B4CCD5C5AE4B645B3A7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:28.769{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090344\VirtualDesktopBinary Data 13241300x800000000000000034339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:28.722{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000001045C\VirtualDesktopBinary Data 13241300x800000000000000034338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:28.722{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000034337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:51:28.707{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090344 13241300x800000000000000034336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:28.691{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:28.691{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mT.rkrBinary Data 13241300x800000000000000034334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:28.644{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:28.644{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mT.rkrBinary Data 10341000x800000000000000034332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:28.644{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:28.644{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:28.644{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBAE-630D-3D04-000000007502}5248C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:28.245{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36492F17BBEF3AD52E064157C3D2C3F,SHA256=7BE2607A98016550A3A76704754BA097459130351449761FAAD3F105E8DC1DD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.689{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.684{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.681{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.680{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.676{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.648{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.638{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.615{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.606{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.602{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.587{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.577{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.557{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.550{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.542{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.530{BEA5AFC2-E595-630D-7006-000000007402}52725420C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012820190) 10341000x800000000000000040240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.484{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 10341000x800000000000000040239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.482{BEA5AFC2-E595-630D-7006-000000007402}52725412C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012896190) 23542300x800000000000000040238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:29.231{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889D59BFFA5CD0693E82479388F35A8,SHA256=BCA2721D6ECE9EE3465F2E1A659679B39965967E88A4A1AD9D667DD23CFA334A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:27.831{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50361-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000034342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:27.171{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000034341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:29.333{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C233F0FB6D1AD1A08BD1A5FF42832887,SHA256=E7DEC18C7A2795C43B691F87CD886CED57F2DD2731C61DF5DF2286612E1C8FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:30.265{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB290E0F3DC6AB7698089235C55235A,SHA256=77F486A738DC61F1C79431E2A5BB92CFC5EA22EC5F432242BEC65227D4D60855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:30.417{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA05A4B873DA0B065FF36F441C071C0,SHA256=A86570AE3322E1DA4B9F964DC4C33A2D1804838391AE80B8B6AD156C5E4DE274,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:30.111{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:30.103{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:30.101{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:30.098{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:30.091{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:30.072{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:30.069{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:31.930{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:31.930{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:31.930{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:31.917{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:28.941{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63251-false10.0.1.12-8000- 23542300x800000000000000040265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:31.355{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1199CE66BC257DA177F88A8428E7D20,SHA256=E203C76D9D709E5457E761DC094712D5AFE3ED43E177C79C700F66AF4AFBCFA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.796{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.794{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.792{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.792{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.791{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.790{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.767{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.748{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 13241300x800000000000000034382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:31.722{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:31.722{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000034380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.696{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.689{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.678{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.672{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.669{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.666{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.664{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.661{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.660{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.656{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.654{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.653{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.651{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.644{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.643{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.641{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.637{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.626{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.622{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.619{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.612{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.594{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.590{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.579{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.536{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.526{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.508{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.500{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 23542300x800000000000000034352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.500{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E339845994C2F2BF6483D2EB9E0F66,SHA256=080770C03B2D7F34BE6673B2EE7AB84D16B9DF32E1EDB0541B9CD220941D29D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.485{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.472{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.460{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.444{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.428{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.415{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 10341000x800000000000000034345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:31.411{3AAE424D-E5D3-630D-6803-000000007502}57525948C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00F10) 23542300x800000000000000034391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:32.721{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22165DECEE2E1B9AE8F8109744ED1DF2,SHA256=AECA2476D42B7B9AE1F5AB720D47B7FABE4FDD163BE2742D3B473FBF44CBF391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.734{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.723{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.703{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.697{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.688{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.683{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.681{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.679{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.676{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.672{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.670{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.669{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.665{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.664{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.663{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.663{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.661{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.659{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.657{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000040273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.451{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A0ECEBB2F1A9C20D27BEB90CB9D04A,SHA256=0FE06CD0C8D558DDC3CB1686A4855D03931A33B689CB7144AF2F9B5EE3C17069,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.138{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:32.137{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000034402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.885{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F16030989B1F8FDF5292CD56B3B97E9,SHA256=70D7CDDE2ABEB455005C147D41DA14AE0953C6E228F8729DB236D5574855F0E5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:51:33.660{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8bc5e-0x782d3a2d) 23542300x800000000000000040293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:33.529{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D9AF07BC3F8EA9358E62823903F822,SHA256=EB872CA9CD876B75AD057823D00297AE00E1FD847420554861641A342FA75905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.646{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.646{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.646{3AAE424D-DEE2-630D-0B00-000000007502}6245608C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.638{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000034397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.638{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000034396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.636{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000034395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.632{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000034394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.632{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000034393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.632{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000034392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.631{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:34.977{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD376C94E72E5848AD9F358DF8D2AB74,SHA256=DA70595138BD71166C6EE2384FC9247C6809B4CBABB64CD8A1C894286CD10EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:34.630{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7405370764C64D25DB8E5872A82459A8,SHA256=DE9AB2EACADAC53C67F908F8AF40C9B0677FF650AB21AA68B464A6DB9AD51F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:35.721{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601C59DD2928503C047090EA19B947F3,SHA256=B4845CD208AA649CD8FDD70A33D9EE4CD073BBD41841EF12393DFCF7DF97E0D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.692{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.692{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.692{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.692{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.692{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.685{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.685{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.685{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.684{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.682{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:35.682{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000040296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:35.472{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-062MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:36.805{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BAAE116E375B27B55682DF757195C4,SHA256=BEC6364E9093ADDFD762603B5A86BB7040004917A06CAAFD631FC8C610E15CC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:33.770{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50362-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:36.065{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EF681F41EF308C9B7ED3480B3A6B08,SHA256=E1F0494A36C62FAC1C00C721E38FE10995478F2296A0A38F91649ACB669DFD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:36.478{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:37.887{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DB6B6C5D9206233CB8924D18DC7638,SHA256=029A4B0476E33EB0F5AE5586B0862205B3AC82748C3EE1E7D198DE8E98597143,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:34.883{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63252-false10.0.1.12-8000- 23542300x800000000000000034417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:37.150{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3E0DE852F2F1B7733FEA9CFEAAD54A,SHA256=8B6340D8D76AF790345D37CA6E4875512AD96D7E3D6304CC406A3303241394D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:38.870{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A2899BE4696F221F289DAF31631276,SHA256=AA1C57F57817D4B123572E56560234BD54D7B92E86D20AF26E9E108556E4BA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:38.240{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48CC264D175941270F32CA1666CD7C0,SHA256=4C7DCA8A2BC79DBB4DDDAC27FEA05EA888405FA20D90E7D2EB6F767C21F12AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:39.971{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842081DF8C645320F826949298453524,SHA256=40506AD15A46BC7374411214AB71ACB762D48AF09DE1A6EED4C994B5BD7DC2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:39.341{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182A062A12C96C72E91A9779506991EB,SHA256=A980095DA073A7145230C89FFC5FE6E7FF8154822CC955AEDC670880C0625C90,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000034471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.792{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000034470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.792{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000034469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.792{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000034468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.620{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000034467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.620{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000034466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.620{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000034465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.620{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000034464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.620{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000034463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.620{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000034462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.620{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000034461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.620{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000034460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000034459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000034454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000034453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000034450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000034448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000034447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000034446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000034445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000034444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000034443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000034441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000034440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000034439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000034438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000034436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000034435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000034434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000034433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.605{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000034432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000034427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.588{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.589{3AAE424D-EBBC-630D-3E04-000000007502}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:40.432{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42647733AAE68F98DE8A893AD17EF0B5,SHA256=0B7E36E91B8346014398357DC7F3ED9B4BAF99877A93111C7CECBA8E244A9041,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000034583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.939{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000034582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.939{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000034581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.939{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000034580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:39.772{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000034579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.778{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000034578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.778{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000034577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.778{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000034576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.778{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000034575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.778{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000034574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.778{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000034573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.778{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000034572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.778{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000034571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000034570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000034569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000034564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000034563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000034562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000034561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000034560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000034558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000034557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000034556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000034555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000034553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000034552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000034550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000034549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000034548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000034547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000034546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000034545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000034543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000034542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000034540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000034539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000034534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.762{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.763{3AAE424D-EBBD-630D-4004-000000007502}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.622{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE167FFAB17B51D012EE974828DA04C1,SHA256=059D3A3B94B6C129F1BFC77A0AF29AC625A3471319CE44D95E5B5B0FD09E32F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.575{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1260B9815156541E632CA57ADF63E84,SHA256=CE560C121817E85BBBB96F517B18502F3D0FBDCF275B9336CFE6DE9F4CDE92DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:39.998{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63253-false10.0.1.12-8000- 23542300x800000000000000040304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:41.064{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF7C348539FE7998090489465B6434A,SHA256=9A4DC3144BF6AAD05771143F3B8F10F019DAF24A99F0C68744916BEE80D0BB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.387{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=260F399E7D53CEDD21D4DE2F9F5290F6,SHA256=1BBBF98BC2175EDE415FD80BA2351127285FFA751E90BBE7BEB88A9454E632FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.387{3AAE424D-EBBD-630D-3F04-000000007502}18922708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.387{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000034522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.387{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000034521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.356{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D59D37009323170F2234AA743D705D6,SHA256=F95C19BA796335DA99E5FC1FA3EA55F0726B18783DAFCC0BE4D9AE63DA039A59,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000034520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000034519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000034518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000034517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000034516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000034515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000034514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000034513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000034512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.231{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000034511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000034510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000034509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000034508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000034507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000034506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000034505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000034504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000034503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000034502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000034501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000034500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000034499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000034498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000034496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000034493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000034490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000034488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000034484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000034479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.215{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.216{3AAE424D-EBBD-630D-3F04-000000007502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:41.190{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=835122808E55CF90CB3333BD625997EF,SHA256=13A30FD7D0D1151246031F27E0F838837BF11DD25BD1EA4C81794B0B5AC0D3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.785{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE16BB3FEA373F792310BC9B0E66C977,SHA256=AA2FB1444E5EB6AA597D08CB8DE4D6E27002CBFFA40070726F9E2C269E4DF420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.769{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3792BD536A5E246D32510672E1819FD,SHA256=0CEAAFF60AF1C2C71100359D938B17A28D9308355A0FD5D48F20C5BD3A83186C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000034634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.644{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000034633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.644{3AAE424D-EBBE-630D-4104-000000007502}26844128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.644{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000034631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.644{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000040307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:42.204{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=28A294064B31F4754FA35A3B2317D76F,SHA256=491577BD399AFCEA85185D1D98BAAA68F93A3018107D67D933B2D8F214E7D7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:42.157{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B16ACE1BD63FC9ABEB02302713F829,SHA256=7F35F21A1C69BB6DBB583116806EBEAFD0CEE4611D5E93A5066142B99EAFF1AF,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000034630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000034629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000034628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000034627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000034626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000034625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000034624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000034623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000034622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000034621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000034616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.456{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000034613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000034612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000034611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000034609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000034608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000034607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000034606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000034605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000034603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000034602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000034601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000034600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000034598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000034597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000034596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000034595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000034591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000034588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.441{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:42.442{3AAE424D-EBBE-630D-4104-000000007502}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000034688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.881{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000034687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000034686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000034685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000034684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000034683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000034682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000034681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000034680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000034679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.866{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000034673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000034672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000034670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000034668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000034666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000034665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000034664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000034663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000034662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000034661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000034660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000034659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000034658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000034657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000034656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000034654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000034653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000034652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000034647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.850{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.851{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:43.741{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50D4CA9AA612D7B9B5437B1821B85E7,SHA256=24D9572F1F0757D84023FD867D11A9025091E4BC90D502054A2F5CB5695237E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:43.259{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46DCF9CBD52E4854DB3B7239AB2221A,SHA256=E09DD0ED3DB150DA4DCA6A9DEA5D85BE152F94B1136F36916C12117EE6EFA7F6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:43.536{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000034638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:43.521{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:43.521{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000040309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:44.336{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE36DF8482A96A5F01C043199A6BB50,SHA256=A0AECC04CDB9E1A962F2FD4B3AA556067C151B900AABA519C601C3E980081434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.815{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A687D482EE25F8B46F55CA9F9230196E,SHA256=C317FCF10F339449D4C5C1F3E3297C8586A32F0BB436F0BEC5B0E84155BE706C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000034743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.705{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000034742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.705{3AAE424D-EBC0-630D-4304-000000007502}56645336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.705{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000034740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.705{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000034739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.533{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000034738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.533{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000034737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.533{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000034736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.533{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000034735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.533{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000034734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.533{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000034733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.533{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000034732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.533{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000034731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000034730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000034724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000034721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000034720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000034719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000034718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000034717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000034716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000034714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000034713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000034712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000034711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000034710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000034709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000034708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000034706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000034705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000034704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000034699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.518{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.519{3AAE424D-EBC0-630D-4304-000000007502}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000034692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.022{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000034691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.022{3AAE424D-EBBF-630D-4204-000000007502}5672664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.007{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000034689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:44.007{3AAE424D-EBBF-630D-4204-000000007502}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000040310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:45.422{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F092254F65DCC2766967C47EC8A33AC8,SHA256=C62A509DD21ABFA77C306632D02BDFF85998B39BAF5E55B2BD5DAEF7A8892368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:45.033{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43738A99E272AB9CDCDAF55AB7F4AF65,SHA256=4F772A652803CAD63C0A98249362A1F5D9CAF37AEEE3FFDBA1527E76746D8D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:46.522{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1B56E8B0A6B881579448A882C6DA28,SHA256=BCF8A482597CE58136EAAAB36671FDF10A3D3FC23750184DDCD0293779B6D070,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.370{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.370{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.370{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.219{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.219{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.219{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.218{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.218{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.218{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.122{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.122{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.122{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.122{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000034790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.122{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000034789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.122{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000034788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.122{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000034787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000034786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000034785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000034784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000034783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000034780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000034779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000034778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000034776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000034775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000034774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000034772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000034771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000034770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000034769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000034768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000034767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000034766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000034764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000034762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000034758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000034755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000034751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.107{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.108{3AAE424D-EBC2-630D-4404-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:46.076{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78ED0F8013DCB86393DEA7CBFCC94BF6,SHA256=211AB94054FB210CF32EBC210925AB1B238EC3FC98124BE38FA30445F93BF6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.821{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=931B03D23682F61075B76011764C824E,SHA256=ED5E7DA7087B585BF1390AA253593D7424AB82E4B1621BF392F7734C2C73C35D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.618{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EBC3-630D-3B07-000000007402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.618{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF81DAC92EFDBE6FB2B35E4BCCBDF66,SHA256=BBD0D72124C522C34657AB7D5580F34DA0157D956710F26D730D3AD903E7624A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.618{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.618{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EBC3-630D-3B07-000000007402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.618{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EBC3-630D-3B07-000000007402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:47.617{BEA5AFC2-EBC3-630D-3B07-000000007402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:47.496{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:47.247{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983E78563253E8195E48D43B5D30C17A,SHA256=0D6DEAF4B2A1A30B2056F5DA239644B5160C92FA1845302495413FEB570DB55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:47.167{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C9F282F9933EF4172EE699433744AE4,SHA256=003F34A12755B426422CFF16A0472E00EADB2C5E482B903793BAC329BA22B8E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:45.016{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63254-false10.0.1.12-8000- 10341000x800000000000000040348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.967{BEA5AFC2-EBC4-630D-3D07-000000007402}42283076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.826{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EBC4-630D-3D07-000000007402}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.826{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.826{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.826{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.826{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.826{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EBC4-630D-3D07-000000007402}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.826{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EBC4-630D-3D07-000000007402}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.828{BEA5AFC2-EBC4-630D-3D07-000000007402}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.701{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFC832349855AACFED6F34712A08F2B,SHA256=F22B062826FD8908391663841D60443A3947141F809878E0E018A44BB7320AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:48.274{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7841FED2B026FFE3A533D01FF9294D0,SHA256=599B08CA307A959F674C4689D5A0174FE25AFDECFB2A7546E754962301AC1053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.466{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3DAA55D8674006F8FCD9DD7CC4675128,SHA256=BB6B5DE3BE248BBF62AD3DCD80B9F0CEADA2DD54F0004D13D5C893EBF605B1C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.418{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.418{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.418{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.417{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.417{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.417{BEA5AFC2-E595-630D-7006-000000007402}52725416C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000128963D0) 10341000x800000000000000040331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.290{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.290{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.290{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.290{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.290{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.290{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.290{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.290{BEA5AFC2-EBC4-630D-3C07-000000007402}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:48.212{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C9E586910885967EDCBE85D14405EB4D,SHA256=0CE6C9D5D23D08A3E8AA4092822EB05D4837D60061AE1F4670EAB01CC4FF3010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.964{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000040382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.963{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089B9A67788EF876872B2BBE877870EE,SHA256=E7EECC3F87D6501FD0B121557F5C0BFE129666859F4166F8BD5A615A97B66DD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.958{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.956{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.954{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.949{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.932{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.929{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:49.364{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCEC3CEDDA9CBFC6DFBB756E46FADF2,SHA256=9D635EB67EC1C894C8DF3DC88B5F442C6C68F39622E2557F8BA3F1F082F32859,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.607{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.602{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.600{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.598{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.597{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.584{BEA5AFC2-EBC5-630D-3E07-000000007402}92496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.573{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.567{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.556{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.550{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.545{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.538{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.531{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.523{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.517{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.510{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.503{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.472{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.470{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.446{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EBC5-630D-3E07-000000007402}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.444{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.444{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.444{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.444{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.443{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EBC5-630D-3E07-000000007402}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.443{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EBC5-630D-3E07-000000007402}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:49.443{BEA5AFC2-EBC5-630D-3E07-000000007402}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:45.772{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50364-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:50.501{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:50.501{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:50.454{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5BFB4E82A8FD214EC906A4A97770F8,SHA256=BB42421093C054847CCC5112B7F3A87B032676C9F423192001E4546FBFCA60E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.724{BEA5AFC2-EBC6-630D-3F07-000000007402}65963664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.567{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EBC6-630D-3F07-000000007402}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.567{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.567{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.567{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.567{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.567{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EBC6-630D-3F07-000000007402}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.567{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EBC6-630D-3F07-000000007402}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.568{BEA5AFC2-EBC6-630D-3F07-000000007402}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.806{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7AC745530C2174E671CDBA020E2139F9,SHA256=BDB9FB36C92294EBA8C2921024264F4C00B771FA068020B2B19C3F4DA6870D5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.714{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.712{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.708{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.707{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.707{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.704{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.689{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.678{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.638{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.626{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.611{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.606{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.604{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.601{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.598{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.594{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.591{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.587{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.585{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.584{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.582{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.578{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.576{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.574{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.570{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.565{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.562{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.560{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.550{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 23542300x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.537{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C121ED3FCBCC7D123AF3617BD217FDCF,SHA256=78CF1F2B35829F832D3CA9905DDF31CD932A653002CDB6DE708A71C6AA3B2F42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.532{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.529{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.518{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.470{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.464{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.455{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000040412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.985{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.984{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.811{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EBC7-630D-4107-000000007402}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.811{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.811{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.811{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.811{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.811{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EBC7-630D-4107-000000007402}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.811{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EBC7-630D-4107-000000007402}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.812{BEA5AFC2-EBC7-630D-4107-000000007402}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.336{BEA5AFC2-EBC7-630D-4007-000000007402}40845008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.196{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EBC7-630D-4007-000000007402}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.196{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.196{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.196{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.196{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.196{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EBC7-630D-4007-000000007402}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.196{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EBC7-630D-4007-000000007402}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.197{BEA5AFC2-EBC7-630D-4007-000000007402}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:51.071{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E93EE4DC5394CFC5F8FE0BECE847FBE,SHA256=DD91D7B4466606D0DEC5ADD8789F97B555CFEFCA88E3345348F702CECAD49FCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.444{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.432{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.425{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.414{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.405{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.392{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.379{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:51.376{3AAE424D-E5D3-630D-6803-000000007502}57525884C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 23542300x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:52.900{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7957EC018E5586596B1A0C10990837,SHA256=98C75809FE8E22E48619F904CAAACF3FCC46050472CE784028AC017225009A4D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00326e85) 13241300x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc56-0x2163090e) 13241300x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5e-0x8327710e) 13241300x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc66-0xe4ebd90e) 13241300x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00326e85) 13241300x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8bc56-0x2163090e) 13241300x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8bc5e-0x8327710e) 13241300x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.650{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8bc66-0xe4ebd90e) 23542300x800000000000000040434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.983{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6963499D5428634B0ABC567BA9B2B6DF,SHA256=B6566D125224DCD82C644024CE76DEBD38505D98D6554AAB7AB9C351C6551BED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:50.889{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63255-false10.0.1.12-8000- 10341000x800000000000000040432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.575{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.567{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.547{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.541{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.532{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.527{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.526{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.524{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.521{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.519{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.516{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.516{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.507{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.506{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.505{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.504{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.504{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.503{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.501{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000040413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:52.156{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24883C90295618D489C262F676F70D5,SHA256=AADCC2A942BDD57C6CDB5F7E656829A393D17F1D16CC12D7D5D8CB6B920AD922,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.431{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:52.431{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:53.727{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E007B8AB764D8110D6BC35DF2688606,SHA256=E5E9FC2B1546DF63ED68A9E9E969E76DF3FC8C44E0CDF56F650E1E30A9F42E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:53.233{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD23ABD35EFE2DF7D3940007EDE918A,SHA256=7B4FC5E9FEDC9BA4E602CF539B1D078484875558928F0291C279F2A01D54C0C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:50.918{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50365-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:54.819{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7D66A6A3198812C0D4C445C57F16CA,SHA256=18B66D29A4CB5496B755B4896440975F74C41910E9308EF51FA13F68C1053B5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.752{BEA5AFC2-DC81-630D-0D00-000000007402}912932C:\Windows\system32\svchost.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:54.323{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B81365BE41524FA44591AFDA407FD69,SHA256=82644477158C1938D7803C05A058BD4E2B58CC67AD3E12AFFE9852B16A30F956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:55.434{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F1A271827C2F337C1A6ED4F8312AFC,SHA256=DF016E373942C83A3D9CD96036A5EA1A5CFAF78CDFBF27FF7FC90B33A2AF7AA0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000034905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.753{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000034904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.753{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000034903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.753{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000034902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000034901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x800000000000000034900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000034897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000034896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000034895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.738{3AAE424D-E5C0-630D-4003-000000007502}31522300C:\Windows\system32\csrss.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.722{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.722{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.722{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.722{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.722{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:55.722{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:53.713{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50366-false169.254.169.254instance-data.us-east-2.compute.internal80http 13241300x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:55.230{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:55.230{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000040463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:56.518{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7D77970465E0488128C9A91FA848B9,SHA256=6B09AF562F1E854178590216E6F33CF3645F9BB8315E0C6480C177EC8A2C7C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.824{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CA94A8FF5F86778BE01C6410CA7D021,SHA256=5613253DC78A11D57DD2521B2909BC449F329810DE76CCD242E41CD243519F14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.516{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.516{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.515{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.515{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.515{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000034907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.515{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBCB-630D-4504-000000007502}840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000034906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.270{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E386C5DC5782B7A9BA8708A62B7AB9,SHA256=7B527600E561623B4269456A6903DDCD5AA91784D19ECDEF3D0CBE10F8FA5C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:57.614{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31218CC03FD3ACAEDDF1B85E62694C1B,SHA256=F7529F74FCB92364471400CB0B69256096E120018E14C7DA90DE2BF6E69724B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:57.340{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6ECD263E1D5F86EC0C582B0A918038,SHA256=DC23E10C6E2DF2D6B2107D79DB72FA3AB00C818FB59BE34F97265E1DF59D73A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:58.699{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE3045C357E72AB4F72CD4EDFBF725F,SHA256=EA3F67D68C6117F1D3C4E93956C9F43A475BC3045EE09ECB55B0F9D7B2E4AE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:58.433{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B781524124C0414AADB24F2AC83EC545,SHA256=697C4DEB8A0864C804B9BA912291B8FABD0841D1CE81FAB7A4A51FA9586BF805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:59.794{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1408831B317662BAEA8DF6E5255D8BFB,SHA256=5186943167E78EA23C6BA496F78A64772EC51474E1C7599832F8648145490E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:59.524{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61CB9FA1B03C73C597647AB724B6DDA,SHA256=F2330E6E9BE8ACBC6F734185F0BAEAB3918118AA76B0F371B5C785F3AAFF845D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:51:56.864{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000034918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:59.264{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000130312\VirtualDesktopBinary Data 13241300x800000000000000034917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:59.185{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:51:59.185{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000040468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:00.899{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFB45628F281636670AB0B07B9DE77C,SHA256=0F61A696C141B61A160DF65BC1F697E1AAAE94DA46B4E65430C50D1A888C7736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:00.626{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56604151406B29CEB158F001A5BE7895,SHA256=CA7BD526DAE14A27E1679054420C8302D6E4B5AF7FC9FC063B02C9AC30FB61CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:51:56.855{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63256-false10.0.1.12-8000- 23542300x800000000000000040469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:01.995{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98418F86C794129D9960505D12E0FCE,SHA256=9771BB371AC58AD3219A945F5A0E982B1CDA46F3D07DE0C8CC235D3DE1ED8D6E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:01.902{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:01.902{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x800000000000000034925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:01.886{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\(Default)%%SystemRoot%%\System32\imageres.dll,-54 12241200x800000000000000034924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:52:01.886{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8540d214-0000-0000-0000-100000000000}\NeedToPurge 13241300x800000000000000034923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:01.886{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8540d214-0000-0000-0000-100000000000}\NeedToPurgeDWORD (0x00000001) 23542300x800000000000000034922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:01.714{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134BD18489E276A9073F45A7D9AD5B2E,SHA256=1EF5F76338815552DB0AAC9081EC81FA0CF835EC4EB821BB0118E04031293759,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:02.925{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000034929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:02.925{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000034928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:02.894{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1927392ACDDEA123E22A8337D22F29,SHA256=0717B5CD5C9E414A6A5F24542C4197E61BCADBD196C08127B26EAC3E71ACA6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:03.988{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5EC598238DC116FB84A134EB9C922B,SHA256=628216CF2B88144A1A62A1748A760007FF79160A808B40E1A777ED92E63B1459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:03.075{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B2BE13646222B5B1A3BF6E83392344,SHA256=F02200DE4EC02A08C025505700248F2DE6C3AE98D416D318A6AE2BEAB267673B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:04.167{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E09DAF62EE4BFA618DFDDE963D9EFB,SHA256=9C66F561EB311DDCD63EB5DD5D8A49D776085AFE58642D5F09943E9B8001F335,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:02.778{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50368-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:05.079{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974F464A49C54A7BBF449F702B722BF,SHA256=4894953517BBD262259FEF405ACEF43BB76200781B0700F4381A4924B37AC966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:05.246{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D956BE581B4A16014191FB3EA038CA2,SHA256=BE2A4243307324C7979307E9AE38DB73F1F586E54E8C954D530F891D29DFFC16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:02.862{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63257-false10.0.1.12-8000- 23542300x800000000000000034934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:06.172{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B0748DDDA4A6347AB9744C74825914,SHA256=5FE8E4A1C255817DCF0BF0ABDB3C6B43E0FD7366F30561456204B6F183274D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:06.342{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC09789194CE92D7ED48292B2DE41CD,SHA256=910E9AE58EB7C0FFB15689DC59656D1B70ED8059487470CC5558BBFAE57CB82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:07.270{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9DA3F9026A078DE39F6EBC31F86F5F,SHA256=A0543BE8B778A073219E5FACE36746AB33DEE8D3ABF7E41F94EBE58E84CCE5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:07.435{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDE4ACE269A9C975928F33222693920,SHA256=54F69397A2F7325776E3C4769B513DBB02EE7FCE12E5BF07321BB914C3562AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:08.360{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81472E0728C500882740066D752CCC1A,SHA256=6810140737C5F86F7B2BDD11F0B4AA1321E3912E10D9F957EF1B7C44E939775F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:08.535{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA25128F6606E427EC4F2A315D65BA5B,SHA256=2F17A30B38FCFCB7741D3A7A53B610B648F2F1F26051C3C426F73ECB61DCB5D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:07.805{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50369-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:09.463{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61153BEE99397AFB55B9A9710597DF65,SHA256=A8563294B439678B89F2ED1312CCAFAC660EE09814A60F08EA19B36C8E6E5EF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.673{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.666{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.662{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.661{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.659{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.618{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.613{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000040489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.608{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001180787DDB87C5469696B1CD799840,SHA256=41F87CA386EFE83C7B8ACECDBFDE704E199E7D15A2B3BBC18656D7A48D7450AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.599{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.592{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.587{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.577{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.568{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000040483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.552{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.550{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.543{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.534{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.526{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.480{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.478{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000034939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:10.559{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA89247B21F2E411A69DDD67A1E938F2,SHA256=A6EF90555E08DBC35FF6A00A8E86FCE51A52C470E4A032FE4D7A24827A339379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:10.659{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B734FE75917BC9B907D99A88F3228A9,SHA256=547CFA853FF9CE422A23106FC196309FBFE25EC5BABD17A801E91A5CB8958B8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:10.138{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:10.134{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:10.132{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:10.131{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:10.125{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:10.112{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:10.109{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000040507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:11.758{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0536D61D64C33C82A9B30C3CFBBB7D1,SHA256=4F09CF2E1A3AFDD34078A72D8C63340D61C545339237A703E10113E2E69FCE39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.709{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.708{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.705{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.704{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.704{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.702{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.683{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.673{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 23542300x800000000000000034976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.635{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6780EA351101ECB1F1ADC078999A5,SHA256=292BE95E175CBBDC804B0EB53954A06DAD63EE02027DB86AFE8B7F2DC03B60B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.631{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.620{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.610{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.601{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.598{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.596{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.593{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.591{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.590{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.585{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.584{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.583{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.582{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.578{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 23542300x800000000000000034961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.578{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CDF8D9E275957885515EC85F6F14843C,SHA256=1910694D6B6766E290A57B13D456EE8CCD59C6092760DED074C6F7F3E13617B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.577{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.573{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.569{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.563{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.558{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.556{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.549{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.526{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.521{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.507{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.471{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.463{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.451{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.440{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.426{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.420{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.411{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.402{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.392{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.383{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000034940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:11.381{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 354300x800000000000000040506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:09.319{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63259-false10.0.1.12-8089- 354300x800000000000000040505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:08.893{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63258-false10.0.1.12-8000- 23542300x800000000000000034985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:12.651{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A329388592872BC692812F63A1F73EC9,SHA256=996963ADE0E83D9C5DD089192C61FBF0AA59D245D8A1AF3BCD7A51CD362546D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.848{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1642AA38DA3AD180EDA2699B876D8B12,SHA256=EABB62D8CE5739752299188FFBBD5022167D5ED43B2782809D9FEA8588E6B3AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.761{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.752{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.723{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.715{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.706{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.701{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.699{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.697{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.694{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.690{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.688{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.687{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.683{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.682{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.680{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.679{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.677{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.673{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.670{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.151{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 10341000x800000000000000040508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:12.150{BEA5AFC2-E595-630D-7006-000000007402}52725480C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438CD0) 23542300x800000000000000040530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:13.823{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF4D715692FBDAAB0A8721B77C5DE9F,SHA256=C717408BB10D0076BC4B214B36A5223FF37CBC6BD450FDF23EBCAD13BCFE5A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:13.805{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74664B6EF777AC7AB410E6247D3D2F5F,SHA256=8CBE12DF3D105DD6A6163838E533C2B721090AF6FF48A02890DB851C1D16F073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:14.896{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C42E9A25EEA25FBE254B931F2856F0,SHA256=2DD771D2B011941873F7E654E95A966DE3DACFE2E869E79D0FC9AF9766735CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:14.915{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B423643112D47EE7F3950155DBB168AB,SHA256=DE1DE1D72CA91ABCAA3937A55513CAD4BA001E422593A232D2C75B788C830E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:14.589{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FC3E767678F65F8B874D4797F59D858,SHA256=3E833DB637DC8185F769B21D95311F4B0745549C2C2254FDCC46509ECD037819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:14.696{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-053MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:12.953{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:15.700{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:13.281{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63260-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000040533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:13.281{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63260-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 13241300x800000000000000035175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.978{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000035174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.978{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 13241300x800000000000000035173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.978{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 13241300x800000000000000035172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.978{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 10341000x800000000000000035171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.947{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.947{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:13.907{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63261-false10.0.1.12-8000- 23542300x800000000000000040535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:16.007{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7CE89F58064D7E3CE4EFC5AA30108B,SHA256=46B655513B48B758E293FE87485CABDE37AB2BAF63D7A6F629363365D9CF42F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.947{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.947{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.947{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.947{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.947{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.947{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\msxml6.dll6.30.14393.5291MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=A362CCDBE82A110E864A59410B1C450F,SHA256=D05D510E37824ADF4917CA1F5BCD4F19F48B9664B2188C2CAD14481B6F7E0CC9,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 13241300x800000000000000035163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeGeneric 13241300x800000000000000035162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 13241300x800000000000000035161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000035160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.947{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000035159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x800000000000000035158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x800000000000000035157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x800000000000000035156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x800000000000000035155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x800000000000000035154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x800000000000000035153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000060) 13241300x800000000000000035152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000035151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000003) 13241300x800000000000000035150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000001) 13241300x800000000000000035149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{0057D0E0-3573-11CF-AE69-08002B2E1262} 13241300x800000000000000035148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x800000000000000035147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x800000000000000035146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x800000000000000035145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.932{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x800000000000000035144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.916{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{0fbb77fe-284a-11ed-abad-02f04dc43d56}\ActiveDWORD (0x00000001) 13241300x800000000000000035143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.916{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{0fbb77fe-284a-11ed-abad-02f04dc43d56}\StagingPathC:\Users\Administrator\AppData\Local\Microsoft\Windows\Burn\Burn1 13241300x800000000000000035142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.916{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{0fbb77fe-284a-11ed-abad-02f04dc43d56}\DriveNumberDWORD (0x00000003) 12241200x800000000000000035141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:52:16.916{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{0fbb77e6-284a-11ed-abad-02f04dc43d56}\DriveNumber 734700x800000000000000035140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.916{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DmApiSetExtImplDesktop.dll10.0.14393.0 (rs1_release.160715-1616)DmApiSetExtImplDesktopMicrosoft® Windows® Operating SystemMicrosoft CorporationDmApiSetExtImplDesktop.dllMD5=89A2945D9F03BD5CE4FE786FC3FA01AC,SHA256=ECBF426E75A3C954374FA4FD3F815FCD24D30FE2550013FCBA03C57CCB7EEB7B,IMPHASH=F22ED554FF218C026E48028F37750A4EtrueMicrosoft WindowsValid 734700x800000000000000035139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.916{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\iri.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)iriMicrosoft® Windows® Operating SystemMicrosoft Corporationiri.dllMD5=AF8D35DD59781A0C1A1CE0D8792E330C,SHA256=CC67A743C34143F13B9D7265A0FDD4BC23505E9DA8B9F25D7D2CFB25FD67CDC1,IMPHASH=B26982DFF0E4AE83D00B3545D5FED9C7trueMicrosoft WindowsValid 13241300x800000000000000035138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.916{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 734700x800000000000000035137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.916{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmxmlhelputils.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)dmxmlhelputilsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmxmlhelputils.dllMD5=D736BB34651B8B66B58135B00BC73A9E,SHA256=433472EB2A0F30B3B3DB906AA09DA241775747087329FBA4270F14C213D344F0,IMPHASH=293AA2BB000D78CD59C3BAF9BC49B2D1trueMicrosoft WindowsValid 734700x800000000000000035136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.916{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmcfgutils.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)dmcfgutilsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmcfgutils.dllMD5=5BB823D136C74E3AEB50A2F8FD1AB3D3,SHA256=22DDB2DB95C4BC76AEDD4527E4F1FD2E3DF6A617442977B05C2876A91F0DEE4D,IMPHASH=D7125ED03B1CA2FDB19DB95B8732B900trueMicrosoft WindowsValid 734700x800000000000000035135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.916{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\omadmapi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)omadmapiMicrosoft® Windows® Operating SystemMicrosoft Corporationomadmapi.dllMD5=EF8BD33B59DC278706C5DDD4198865EA,SHA256=D333877C5C468AF921D3FE7E072A686020AE4140C0828C8C61D7786399D48C2C,IMPHASH=94B167A43001FFF7EC77F71C980396E0trueMicrosoft WindowsValid 13241300x800000000000000035134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.916{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\NextStagingPathIndexDWORD (0x00000002) 734700x800000000000000035133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmcsps.dll10.0.14393.2608 (rs1_release.181024-1742)dmcspsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmcsps.dllMD5=3E2BE79AA01A983FE8E292BE943A145C,SHA256=CDFCC3B473CD671530926E08ECFE26C3BEB19AE995C63B5BDD7759BEB01EF74B,IMPHASH=62D6AA3FE203382F5057A220DB8A43A5trueMicrosoft WindowsValid 734700x800000000000000035132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 13241300x800000000000000035131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.900{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{0fbb77fe-284a-11ed-abad-02f04dc43d56}\IsImapiDataBurnSupportedDWORD (0x00000000) 13241300x800000000000000035130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.900{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{0fbb77fe-284a-11ed-abad-02f04dc43d56}\Drive TypeDWORD (0x00000011) 734700x800000000000000035129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\BluetoothApis.dll10.0.14393.5291 (rs1_release.220806-1444)Bluetooth Usermode Api hostMicrosoft® Windows® Operating SystemMicrosoft CorporationBluetoothApis.DLLMD5=B5267EC072EC69EA82EDA8E8DA5DA218,SHA256=043ABA230C42ADF43B0F3695CF052ABF9F9AF08A701F99C65B3705D46BA7B9AB,IMPHASH=565BE656E1DABB7885CE440B41B76C57trueMicrosoft WindowsValid 734700x800000000000000035128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmenrollengine.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Enroll Engine DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdmEnrollEngine.dllMD5=28CFC1B053DE56ECAE3B0BB333B261DC,SHA256=F9F5E714B95D28AD8F23F80B6A28C98AA728CADEF90578B5309DBEBB87CDE2B6,IMPHASH=59187E09031CC2CA39C447F4A8D5439FtrueMicrosoft WindowsValid 734700x800000000000000035127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmiso8601utils.dll10.0.14393.0 (rs1_release.160715-1616)dmiso8601utilsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmiso8601utils.dllMD5=2F40C02593E583ADB3A6C6A6A25E0C49,SHA256=0C0A3221B34778274D7808379015DEEBB76B3B8524C01F75105B0C3D44750C2F,IMPHASH=33346501635D371F04B783022D96229EtrueMicrosoft WindowsValid 734700x800000000000000035126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\enterpriseresourcemanager.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)enterpriseresourcemanager DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationenterpriseresourcemanager.dllMD5=0302E3FE61103E007ACF38D3F07D55A0,SHA256=AC171FD434FB589664C3636D31E51AC96971A9E59CA251CA039A518D3E857C56,IMPHASH=C2EA5291AD083C4C02F0C3CA7E4C7677trueMicrosoft WindowsValid 734700x800000000000000035125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dmoleaututils.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)dmoleaututilsMicrosoft® Windows® Operating SystemMicrosoft Corporationdmoleaututils.dllMD5=58F5C38F979C23E9C3A8D6EFA7A01CE5,SHA256=C7A6A9B121CC95F906EDEDEFF1CD5C3E8D51295F149982DE66DA6AD73DB79C06,IMPHASH=EA4F317317CF2C0BAD0CECCE4D647BFCtrueMicrosoft WindowsValid 734700x800000000000000035124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\configmanager2.dll10.0.14393.4169 (rs1_release.210107-1130)ConfigManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationconfigmanager2.dllMD5=C2DB188E223282022D7475373B4DA96F,SHA256=F19CDC4A555243E2492351EBF5CC0B30E53654DD7D80F7D0884AE3C9CBEAC5E3,IMPHASH=6A70C4F51ACF7D21F90F8C54B7DA1389trueMicrosoft WindowsValid 734700x800000000000000035123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x800000000000000035122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x800000000000000035121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.900{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 13241300x800000000000000035120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.885{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0fbb77fe-284a-11ed-abad-02f04dc43d56}\GenerationDWORD (0x00000001) 13241300x800000000000000035119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.885{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0fbb77fe-284a-11ed-abad-02f04dc43d56}\DataBinary Data 13241300x800000000000000035118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.885{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 13241300x800000000000000035117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\SYSTEM\MountedDevices\\DosDevices\D:Binary Data 13241300x800000000000000035116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\SYSTEM\MountedDevices\\??\Volume{0fbb77fe-284a-11ed-abad-02f04dc43d56}Binary Data 13241300x800000000000000035115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000002#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#\Properties\{4d1ebee8-0803-4774-9842-b77db50265e9}\0004\(Default)Binary Data 13241300x800000000000000035114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000002#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#\Properties\{4d1ebee8-0803-4774-9842-b77db50265e9}\0003\(Default)Binary Data 13241300x800000000000000035113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000002#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#\Properties\{4d1ebee8-0803-4774-9842-b77db50265e9}\0002\(Default)Binary Data 13241300x800000000000000035112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestampQWORD (0x01d8bc5e-0x91ee5b08) 13241300x800000000000000035111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 2\DeviceIdentifierPageBinary Data 13241300x800000000000000035110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 2\DeviceTypeCdRomPeripheral 13241300x800000000000000035109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 2\IdentifierMsft Virtual DVD-ROM 1.0 13241300x800000000000000035108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 2\InquiryDataBinary Data 12241200x800000000000000035107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport 13241300x800000000000000035106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000035105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000002#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstanceSCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 13241300x800000000000000035104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000002#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\#\Properties\{026e516e-b814-414b-83cd-856d6fef4822}\0006\(Default)Binary Data 13241300x800000000000000035103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000035102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000002#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstanceSCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 13241300x800000000000000035101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.869{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0002\(Default)Binary Data 13241300x800000000000000035100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x800000000000000035099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000035098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\CountDWORD (0x00000001) 13241300x800000000000000035097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\0SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 13241300x800000000000000035096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UINumberDWORD (0x00000001) 13241300x800000000000000035095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CapabilitiesDWORD (0x00000062) 13241300x800000000000000035094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\(Default)Binary Data 13241300x800000000000000035093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\(Default)Binary Data 13241300x800000000000000035092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlagsDWORD (0x00000000) 13241300x800000000000000035091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007\(Default)Binary Data 13241300x800000000000000035090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\AutoRunAlwaysDisableBinary Data 13241300x800000000000000035089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\MinimumIdleTimeoutInMSDWORD (0x00000000) 13241300x800000000000000035088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\DefaultRequestFlagsDWORD (0x00000008) 13241300x800000000000000035087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName@cdrom.inf,%%ISO_Generic_FriendlyName%%;Microsoft Virtual DVD-ROM 13241300x800000000000000035086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\(Default)Binary Data 13241300x800000000000000035085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\(Default)Binary Data 13241300x800000000000000035084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0001\MatchingDeviceIdSCSI\CdRomMsft____Virtual_DVD-ROM_ 13241300x800000000000000035083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\(Default)Binary Data 13241300x800000000000000035082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006\(Default)Binary Data 13241300x800000000000000035081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0001\InfSectioncdrom_install_ISO_drive 13241300x800000000000000035080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\(Default)Binary Data 13241300x800000000000000035079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0001\InfPathcdrom.inf 13241300x800000000000000035078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\(Default)Binary Data 13241300x800000000000000035077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0001\DriverVersion10.0.14393.5006 13241300x800000000000000035076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\(Default)Binary Data 13241300x800000000000000035075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0001\DriverDate6-21-2006 13241300x800000000000000035074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0001\DriverDateDataBinary Data 13241300x800000000000000035073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\(Default)Binary Data 13241300x800000000000000035072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup\SessionNumberBinary Data 13241300x800000000000000035071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0001\ProviderNameMicrosoft 13241300x800000000000000035070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg@cdrom.inf,%%genmanufacturer%%;(Standard CD-ROM drives) 734700x800000000000000035069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.853{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DeviceSetupManager.dll10.0.14393.0 (rs1_release.160715-1616)Device Setup ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceSetupManager.dllMD5=7433474BE77F065D2FA628671FE31A3E,SHA256=063ADDC68F48036749E6EC7B2F66284DB29F90F62E9468D16B4EF5A0FDC45E35,IMPHASH=979C904CE62DA00890CC9C29BD894216trueMicrosoft WindowsValid 13241300x800000000000000035068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\(Default)Binary Data 13241300x800000000000000035067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0001\DriverDescCD-ROM Drive 13241300x800000000000000035066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver{4d36e965-e325-11ce-bfc1-08002be10318}\0001 13241300x800000000000000035065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc@cdrom.inf,%%gencdrom_devdesc%%;CD-ROM Drive 13241300x800000000000000035064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Servicecdrom 13241300x800000000000000035063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID{4d36e965-e325-11ce-bfc1-08002be10318} 13241300x800000000000000035062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\(Default)Binary Data 13241300x800000000000000035061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDsBinary Data 13241300x800000000000000035060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareIDBinary Data 13241300x800000000000000035059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000035058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002Binary Data 13241300x800000000000000035057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID{00000000-0000-0000-ffff-ffffffffffff} 13241300x800000000000000035056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlagsDWORD (0x00000400) 13241300x800000000000000035055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UINumberDWORD (0x00000001) 13241300x800000000000000035054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CapabilitiesDWORD (0x00000062) 13241300x800000000000000035053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformationBus Number 0, Target Id 0, LUN 2 13241300x800000000000000035052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006\(Default)Binary Data 13241300x800000000000000035051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 13241300x800000000000000035050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\(Default)Binary Data 13241300x800000000000000035049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.853{3AAE424D-DEE0-630D-0100-000000007502}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDescMsft Virtual DVD-ROM SCSI CdRom Device 734700x800000000000000035048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000035047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 13241300x800000000000000035046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 734700x800000000000000035045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 13241300x800000000000000035044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x800000000000000035043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\0Binary Data 734700x800000000000000035042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 13241300x800000000000000035041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1Binary Data 734700x800000000000000035040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 11241100x800000000000000035039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-08-30 10:50:17.172 734700x800000000000000035038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 12241200x800000000000000035037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1 12241200x800000000000000035036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\0 23542300x800000000000000035035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=293302147C1AED162BF0E080F7D98019,SHA256=7A38E43D804C8529A0FE1BBF188C931449E6B41CAB8ADAD6E6E2B4C62C667250,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000035033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x800000000000000035032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000035031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000035030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000035029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 13241300x800000000000000035028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso\MRUListExBinary Data 13241300x800000000000000035027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso\1Binary Data 13241300x800000000000000035026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\2Binary Data 734700x800000000000000035025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000035024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 11241100x800000000000000035023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\fotos.iso.lnk2022-08-30 10:52:16.838 734700x800000000000000035022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000035021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.838{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 13241300x800000000000000035020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.838{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithProgids\Windows.IsoFileBinary Data 10341000x800000000000000035019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000035016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000035015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000035014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000035013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000035011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 13241300x800000000000000035010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.822{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Explorer.exeQWORD (0x01d8bc5e-0x91e73a69) 10341000x800000000000000035009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000035007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000035006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000035005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000035004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000035003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000035002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.822{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000035001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-E5C0-630D-4003-000000007502}31522856C:\Windows\system32\csrss.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000035000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000034999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000034998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000034997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000034996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000034994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:16.806{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithProgids\Windows.IsoFileBinary Data 10341000x800000000000000034993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.806{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:16.194{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0053F42F797E880FD60B46AFC72267BD,SHA256=7087B58A8254F09964E5471095502C5F8931E7BDC166D3B5337D57B656029937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.944{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7901745C71C2F331C6BF2239E37F71,SHA256=AB7680C6945517B217644362E045F34917196E4D9C095605FDBD64260ECD2636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.694{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1F1528F5D463416F28CFDA077AC2A1,SHA256=C2F73F3DEC537CE56732B55D71E2950F0ABA0DDFCF04DA6EA88C1F21836A5457,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.678{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 10341000x800000000000000035350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.616{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.616{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.616{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.616{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.616{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.616{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.600{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:17.092{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F35B5D5CBA7945F4B304B4B56BFCE13,SHA256=D763D938F84E245E8D1D8BC126D1AA051D943EE786363C5D197B71FDD79FB940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.585{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000035314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.569{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLowDWORD (0x92592e6d) 13241300x800000000000000035313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.569{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHighDWORD (0x01d8bc5e) 10341000x800000000000000035312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.569{3AAE424D-EB6A-630D-3204-000000007502}17524220C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 13241300x800000000000000035311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.569{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLowDWORD (0x92592e6c) 13241300x800000000000000035310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.569{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHighDWORD (0x01d8bc5e) 10341000x800000000000000035309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.569{3AAE424D-EB6A-630D-3204-000000007502}17524220C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 734700x800000000000000035308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.569{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\servicing\CbsApi.dll10.0.14393.0 (rs1_release.160715-1616)Component Based Servicing API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcbsapi.dllMD5=176E556358F4F4868397D080CA660F6E,SHA256=A41CED61F2C7E67FE65397F9AC037EF0C720A168C183C647F8FAD07A8DA0B6AE,IMPHASH=0D11D8030B464E83DCB0906249CCB4AFtrueMicrosoft WindowsValid 10341000x800000000000000035307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.553{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.538{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.538{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.538{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.538{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.538{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.538{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.475{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A019F82B19E7F8BD04820F80F32BFF,SHA256=C37F83408C5610D3556E472DA02AB7CEA38E1235669857190982CBD13202D409,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.413{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.413{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.413{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.413{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.413{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.413{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.397{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.382{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.366{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.350{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.335{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.319{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.319{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.319{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.319{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.319{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.319{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7,IMPHASH=E4AC0A0BD42B7356347D6A1BE150F6A6trueMicrosoft WindowsValid 734700x800000000000000035209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\schedcli.dll10.0.14393.0 (rs1_release.160715-1616)Scheduler Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSCHEDCLI.DLLMD5=9565E2180ACA12EC2DAAF237568BB7FF,SHA256=450DEFF97BA11F320372CADABDFEE221D4821652DB14CBE2B2AC22DE6F212C2D,IMPHASH=A26C66511F0E88DB089794819D0C920BtrueMicrosoft WindowsValid 734700x800000000000000035208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\logoncli.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=4D97A8DA0BF104134C81170C31EA5A69,SHA256=5A85BD08422227F07863837184163A289AE288FC9BD07389AA5C3BFB0A627888,IMPHASH=38941DF5102FFD817983A19701DCDF2AtrueMicrosoft WindowsValid 734700x800000000000000035207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000035206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000035205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x800000000000000035204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 10341000x800000000000000035203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.303{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.288{3AAE424D-DEE2-630D-0B00-000000007502}6245608C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.288{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BF12B2EDA28200FD1088FABF1F2EFF,SHA256=8431C077153C3847E119A59EBA457C3E5465F521857BFC4BDA233C1006392BA9,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.288{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 23542300x800000000000000035192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.183{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4E1986FE7F25DE7A7FE2BEC894CC2B2F,SHA256=227EF77C98EC7C03ADBF17D079C12DC6297CF52B6A34853A857BBDCEC3937F5E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.174{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\dispci.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Display Class InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationDispCI.dllMD5=78287C2EB0594C1FD9657775646CC907,SHA256=F2F5C8F3FE65081E397A6394B328E3175DB0F91B7C067A4D1AB9525869A2B094,IMPHASH=AA1ECEC794AE408F2A32851176A93BE4trueMicrosoft WindowsValid 23542300x800000000000000035190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.171{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D21EDEF407A602EC876D235C5235F1,SHA256=8C91F155C2F33D281B73A0F46579194ED5C2F84ADDF70A7AE1AFC2643458F864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.162{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018E7DFFDB6E8D1A902AE04545327FD5,SHA256=98B3A2B277A2C8012EF35CA499EE4C096A4EAE89391B221DD09C64005C15F0E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.072{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.071{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.070{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.070{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.068{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.068{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE0-630D-4604-000000007502}1116C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 11241100x800000000000000035182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.052{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeC:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_3362899763b6c760\cdrom.PNF2022-08-30 10:52:17.052 13241300x800000000000000035181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.048{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000050440\VirtualDesktopBinary Data 13241300x800000000000000035180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.042{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeGeneric 13241300x800000000000000035179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.042{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\24\Shell\SniffedFolderTypeDocuments 13241300x800000000000000035178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.010{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.010{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000035176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:17.010{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000035355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:18.588{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B9CE12D4F05A312C9798F9246D3778,SHA256=2DF9B844D2EED37ED576D380C0FE0AB0869115EA46BA751675DA58EE69C449E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:18.316{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=21558D36FFA55399BB3EE3E639FD517D,SHA256=CA41E34B1E75BA1FB3953660E111839B8DFED5CE6F079A2FE62E7DF9EDEED625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:18.191{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905366F190631EA30B9D9BF37FD92471,SHA256=A7CBEF8FD0DDEB6AB5657545FE65DC0A6E80A1C48AC56DB10A9CDB611FB4BB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:18.057{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=474D482CDB0B6C774AD2ADC127E8D93A,SHA256=BF611B0B7894322320A2C37239CA12056C70B61F3869F12444D71C983ABD4256,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:17.440{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50371-false52.238.248.2-443https 13241300x800000000000000035411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.774{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.774{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000035409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.774{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20,IMPHASH=D1267CC8F49B54A66A0034D2C4452E93trueMicrosoft WindowsValid 13241300x800000000000000035408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.774{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000035407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.774{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6A,IMPHASH=52DBB027F849F4DB11CB3C2B56C0E9FBtrueMicrosoft WindowsValid 13241300x800000000000000035406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.774{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.774{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids\dllfileBinary Data 13241300x800000000000000035403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000035396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.759{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000035395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.665{3AAE424D-DEE2-630D-0D00-000000007502}788812C:\Windows\system32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.649{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D1EB21F166F28512CAF6AABC3C66CF,SHA256=3D03D77A517A106E592E4261C464A1685C59C20A6DD8E390EE1B2CE75FE8E460,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:17.473{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal60098- 23542300x800000000000000040540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:19.292{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14444DC99DB6DFA655A8240F1818C79,SHA256=6A2DF3AC3621F7272B95D2A392423C7BA9C8F9CFC39DB3FB6DF641F0B4EEBE12,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.384{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 734700x800000000000000035358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.290{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\DDORes.dll10.0.14393.0 (rs1_release.160715-1616)Device Category information and resourcesMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceCategories.dllMD5=4D558BCF2062138ADC52D6A9297A9732,SHA256=D03BD3F1B5664492E360851297C0347B1E6973C157343E2B144B343C0FABB14C,IMPHASH=4ADE000E26811AE05A20CE8C732A4112trueMicrosoft WindowsValid 13241300x800000000000000035357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.290{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000035356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:19.290{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 23542300x800000000000000035419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:20.856{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECDFC7B49A62A0347A2A742BCA2054A,SHA256=E68393AC0FD3C4F945B19DFFAE54D47611B99A046B09441E53C3987DF0EAD031,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.278{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50374-false20.86.173.234-80http 354300x800000000000000035417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.131{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50373-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 354300x800000000000000035416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:18.861{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50372-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000040544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:19.226{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal53398- 354300x800000000000000040543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:19.188{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal51882- 23542300x800000000000000040542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:20.391{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D10C1C75E47C15CF025874422D6ECF,SHA256=E690026E3BB910724FEE18FFDDC25D4D4BD08A9E5F3852F67CDDA0EDC7455DB8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:20.147{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069\(Default)Binary Data 13241300x800000000000000035414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:20.146{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0008\en-USBinary Data 13241300x800000000000000035413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:20.146{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\(Default)Binary Data 23542300x800000000000000035520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.996{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9CD5EE7A250520FED564D5F505D634,SHA256=3218E8DBE6A3D30645C4BD84BB492A9D453C74064ECF2DAF0B60923479DB7E2E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.933{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=52FD1288FED0BD435BBA02023D8A5394,SHA256=C277A8E6B6E25656085647270AF0D6673DD3C6B29C99260825CD5909FCB82549,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 13241300x800000000000000035518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000035517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000035516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}36044092C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}36044092C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}36044092C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000035512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001602D0\VirtualDesktopBinary Data 10341000x800000000000000035511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.949{3AAE424D-E5C4-630D-5403-000000007502}36044392C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.918{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000035507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.918{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000035506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.902{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\urlmon.dll11.00.14393.5291 (rs1_release.220806-1444)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=EB23BDE140B2A7A40A10923024B4B945,SHA256=F839955D9722980FEC4540AC2FFE3C8225434A40FDF12C7F6A67E9FF3B7AA7E8,IMPHASH=E530C982EE775310D0834EA7C551BBFDtrueMicrosoft WindowsValid 354300x800000000000000035505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.704{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50377-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 354300x800000000000000035504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.558{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50376-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 354300x800000000000000035503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:19.408{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50375-false104.98.86.42a104-98-86-42.deploy.static.akamaitechnologies.com80http 734700x800000000000000035502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.824{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\EhStorShell.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage Shell Extension DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorShell.dllMD5=4327110011C5B4D72EA451FA23D78CED,SHA256=A3FC4F52D93C74DF05A422F279781747674FEACFCD0ED9DE05FFFC8AEA49E23B,IMPHASH=111C0B6B81920F4C028C3EB61B1873D7trueMicrosoft WindowsValid 13241300x800000000000000035501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:21.855{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 10341000x800000000000000035500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.855{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:19.454{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal54435- 23542300x800000000000000040545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:21.490{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF719CC80E0F6445CE522736DBE8514F,SHA256=47826C430F579CC2BC3AA11D36E653BD89F31536B360446390094BCD4EF62B2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.840{3AAE424D-E5C4-630D-4D03-000000007502}38763224C:\Windows\system32\taskhostw.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.840{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.809{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\cscobj.dll10.0.14393.4169 (rs1_release.210107-1130)In-proc COM object used by clients of CSC APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCSCOBJ.DLLMD5=850613912A28BFC344A4B137495E5EDF,SHA256=0D43250573ED2274866893CED721523F0DFB9B75B2B75062E5E690543A96764F,IMPHASH=BA446D9473A9C87DC3CDD702C5B83451trueMicrosoft WindowsValid 10341000x800000000000000035496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.840{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.840{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.840{3AAE424D-E5C4-630D-5403-000000007502}36044756C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.809{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\cscui.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Client Side Caching UIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscui.dllMD5=1CA3E6207A230620599F7370D6C8F173,SHA256=758385B0BA148ABCB97A659CC8060DB6DC621A6CAA51B5F717C1233C8B450F51,IMPHASH=7C4C5D26A164B555C68D5F02A417A150trueMicrosoft WindowsValid 734700x800000000000000035492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.793{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x800000000000000035491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.824{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000035490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.809{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x800000000000000035489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.793{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\docprop.dll10.0.14393.0 (rs1_release.160715-1616)OLE DocFile Property PageMicrosoft® Windows® Operating SystemMicrosoft Corporationdocprop.dllMD5=604BDD87D129E28C4E34B352C71D39F4,SHA256=D45CAC7BDA0D58938344AA2B09DBF286B6C1696259B83F5AEDE9F689F509896B,IMPHASH=93CA580F9802485D21E1720EFFA5FC6DtrueMicrosoft WindowsValid 734700x800000000000000035488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.809{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x800000000000000035487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.809{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000035486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.809{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\twext.dll10.0.14393.5192 (rs1_release.220610-1622)Previous Versions property pageMicrosoft® Windows® Operating SystemMicrosoft Corporationtwext.dllMD5=AD23E6F6DDBC81B6BB5846536765DF1E,SHA256=9A3872A585E0F664A12F102E5C4D771A17B583F01FF6A4C9C2A2E0696055B3E7,IMPHASH=29C3BF5A3E76E3AC1BA5E32244E9991FtrueMicrosoft WindowsValid 734700x800000000000000035485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\cryptui.dll10.0.14393.3321 (rs1_release.191016-1811)Microsoft Trust UI ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTUI.DLLMD5=7BA8C29986BA103E2353D405DCCB87D7,SHA256=E9FFD440B5318D65AC2A38125CC417C8F34C6344CA8D9251A8ABE74D14C518B8,IMPHASH=62620EF249FFBE3A3FFFCF86ECC0E8AFtrueMicrosoft WindowsValid 10341000x800000000000000035484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.793{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\combase.dll+abdf2|C:\Windows\System32\combase.dll+acb1e|C:\Windows\System32\combase.dll+ac92f|C:\Windows\System32\combase.dll+2f298|C:\Windows\System32\combase.dll+2eeb0|C:\Windows\System32\combase.dll+3be74|C:\Windows\System32\combase.dll+c29a4|C:\Windows\System32\combase.dll+38f31|C:\Windows\System32\combase.dll+3a880|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000035483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.793{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\combase.dll+abdf2|C:\Windows\System32\combase.dll+acb1e|C:\Windows\System32\combase.dll+ac92f|C:\Windows\System32\combase.dll+2f298|C:\Windows\System32\combase.dll+2eeb0|C:\Windows\System32\combase.dll+3be74|C:\Windows\System32\combase.dll+c29a4|C:\Windows\System32\combase.dll+38f31|C:\Windows\System32\combase.dll+3a880|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+551e8|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4 734700x800000000000000035482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.761{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\cryptext.dll10.0.14393.4169 (rs1_release.210107-1130)Crypto Shell ExtensionsMicrosoft® Windows® Operating SystemMicrosoft CorporationCryptExt.dllMD5=457380C9B5488D2E45D4F93CA68FAF75,SHA256=BDE91D09EB5664C96381FB0DC0A2558502A203141FB78F4D8A3D8A0C5EA81AF4,IMPHASH=6E0AA5AE4622F87A8A2E452BBF496760trueMicrosoft WindowsValid 13241300x800000000000000035481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:21.793{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3EA48300-8CF6-101B-84FB-666CCB9BCD32} {000214E9-0000-0000-C000-000000000046} 0xFFFFBinary Data 734700x800000000000000035480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x800000000000000035479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.761{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\synceng.dll10.0.14393.0 (rs1_release.160715-1616)Windows Briefcase EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCENG.DLLMD5=A683B60F1A5FAC27D1173F937403ED1B,SHA256=57450827A7F7D880F236F27A1D92654A3284842226539A26F311CFA736083571,IMPHASH=0A2DBAAA924DBD2D0A4335D1E0E9A7C9trueMicrosoft WindowsValid 734700x800000000000000035478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\authz.dll10.0.14393.4886 (rs1_release.220104-1735)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=A26BCF0FE442174708AA3DB7602B5A3D,SHA256=18D5690E120DFC6260C6D2E75BD84660824EAAF919B3CDF24C46AA1D18C301EB,IMPHASH=720B221BA6A01692F2370B4CCC197970trueMicrosoft WindowsValid 734700x800000000000000035477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\rshx32.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Security Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft Corporationrshx32.dllMD5=77E9379C6D7585462B6B8313EEA68291,SHA256=D136B97364382D0D7B1A2E2D8757839CE8FD66FF51C02FB479586161F6590ADB,IMPHASH=F60A841A8F715A760D61123E7B1CB03CtrueMicrosoft WindowsValid 734700x800000000000000035476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 734700x800000000000000035475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x800000000000000035474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000035473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000035472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.777{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000035471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.761{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\syncui.dll10.0.14393.2608 (rs1_release.181024-1742)Windows BriefcaseMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCUI.DLLMD5=D3CD7E690590A1AD564C832DFE1A1922,SHA256=F3CB2B362A0970B106D8B5F27F80D019931090D3ED579C72182163502BA212B7,IMPHASH=39745F2E08404A86C1D135E2AB69B2B1trueMicrosoft WindowsValid 734700x800000000000000035470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.746{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 13241300x800000000000000035469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:21.761{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7444C719-39BF-11D1-8CD9-00C04FC29D45} {000214E9-0000-0000-C000-000000000046} 0xFFFFBinary Data 734700x800000000000000035468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.761{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x800000000000000035467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.761{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42,IMPHASH=F3640F50846C35CCE7151F1E835AE727trueMicrosoft WindowsValid 734700x800000000000000035466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.761{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x800000000000000035465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.746{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x800000000000000035464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.746{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 734700x800000000000000035463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.746{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 734700x800000000000000035462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.746{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000035461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x800000000000000035460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}36485472C:\Windows\system32\DllHost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+5111a|C:\Windows\System32\shell32.dll+dbaa4|C:\Windows\System32\shell32.dll+da84b|C:\Windows\System32\shell32.dll+da32d|C:\Windows\System32\shell32.dll+58469|C:\Windows\System32\shell32.dll+316a08|C:\Windows\System32\shell32.dll+3167aa|C:\Windows\System32\shell32.dll+b2db5|C:\Windows\System32\shell32.dll+4c973|C:\Windows\System32\shell32.dll+4c949|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}36485472C:\Windows\system32\DllHost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+51108|C:\Windows\System32\shell32.dll+dbaa4|C:\Windows\System32\shell32.dll+da84b|C:\Windows\System32\shell32.dll+da32d|C:\Windows\System32\shell32.dll+58469|C:\Windows\System32\shell32.dll+316a08|C:\Windows\System32\shell32.dll+3167aa|C:\Windows\System32\shell32.dll+b2db5|C:\Windows\System32\shell32.dll+4c973|C:\Windows\System32\shell32.dll+4c949|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}36485472C:\Windows\system32\DllHost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+51108|C:\Windows\System32\shell32.dll+dbaa4|C:\Windows\System32\shell32.dll+da84b|C:\Windows\System32\shell32.dll+da32d|C:\Windows\System32\shell32.dll+58469|C:\Windows\System32\shell32.dll+316a08|C:\Windows\System32\shell32.dll+3167aa|C:\Windows\System32\shell32.dll+b2db5|C:\Windows\System32\shell32.dll+4c973|C:\Windows\System32\shell32.dll+4c949|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000035456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000035455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000035454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x800000000000000035453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000035452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x800000000000000035451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000035450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000035449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000035448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000035447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000035446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x800000000000000035445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000035444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.730{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000035443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-DEE3-630D-1400-000000007502}8642424C:\Windows\system32\svchost.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000035440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000035439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000035438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000035437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000035435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000035434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000035432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000035431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000035430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000035429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000035428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000035427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000035426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-E5C0-630D-4003-000000007502}31522300C:\Windows\system32\csrss.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000035425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000035424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000035423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.715{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.699{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000035421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.699{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.699{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:20.476{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal51918- 354300x800000000000000040549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:20.473{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal62012- 354300x800000000000000040548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:19.819{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63262-false10.0.1.12-8000- 23542300x800000000000000040547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:22.585{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BB0CF381D9FA11CC23905CFECE8174,SHA256=77A307D232CD4B41FE2B02C14A1A0C99E983FC560FF2F4D20B94FC361E2B2E8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:22.258{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:22.256{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:22.127{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:22.127{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:22.127{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:22.127{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:22.127{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:22.127{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000035521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:21.996{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82550A1D0572647FDBD191A37BA1BF09,SHA256=8AFE80B43E0A81296A0E864BBD02B333C7276BBFA80A86FE661BF2955696AAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:23.668{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC4EC6FA48BB13EFC23AE4E2FB59C67,SHA256=D7C14389EE38A7E311A1538E71F9A2190B8D760E253783DC46B307719253CD0E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:23.356{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0002\(Default)Binary Data 23542300x800000000000000035530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:23.112{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059913C4A4DCC1888B13349AE15D83B5,SHA256=646E8B52D0734A011C3395ABA1CFFA3FC970188ADD1816BDA84616926671F88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:24.755{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894BCDED02CB7875B93D3BD565CB7B8F,SHA256=57B04102588906835E933A9E7FA4193BA0741C3B971D6A2589A2935B1C10D4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:24.186{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F095411EA84252D73C93696310E81167,SHA256=F769C9DB3AB1E7E7E848451C006F209661335CED30506DD606002B827F6CEF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:25.856{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8145279D734E66DF89B11426E9081136,SHA256=E66084E27A12365A60FD84936B45056FB7532787DAD104323FBDFEDB3E9ACB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:25.263{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F444B5B6AB7A2FB4125AD86FAD163E,SHA256=278370B362527955E59AE949E807AC4621EAEB48180CC203789DDC06CD874CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:26.942{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE03CBF13C665752270197790E3ECBCA,SHA256=7DF93E0413EF954F51C48DE524BB99D0DEF59787D9624849013A9A58FBD88FE3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\DeviceInterfaceClasses(Empty) 13241300x800000000000000035585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\LowerFilters(Empty) 13241300x800000000000000035584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\UpperFilters(Empty) 13241300x800000000000000035583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\LowerClassFilters(Empty) 13241300x800000000000000035582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\UpperClassFilters(Empty) 13241300x800000000000000035581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\STACKID\driver\cdrom,\driver\vhdmp 13241300x800000000000000035580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\COMPIDscsi\cdrom,scsi\raw 13241300x800000000000000035579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\ExtendedInfs(Empty) 13241300x800000000000000035578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\HWIDscsi\cdrommsft____virtual_dvd-rom_1.0_,scsi\cdrommsft____virtual_dvd-rom_,scsi\cdrommsft____,scsi\msft____virtual_dvd-rom_1,msft____virtual_dvd-rom_1,gencdrom 13241300x800000000000000035577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\BusReportedDescriptionMsft Virtual DVD-ROM SCSI CdRom Device 13241300x800000000000000035576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\DriverId00007013ae8bc5f905a6f5751e7c4201b2924d04a622 13241300x800000000000000035575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\ProviderMicrosoft 13241300x800000000000000035574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\ProblemCode0 13241300x800000000000000035573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\ContainerId{27db0821-3bf9-f71a-f96f-a53403857690} 13241300x800000000000000035572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\DriverVerVersion10.0.14393.5006 13241300x800000000000000035571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\DriverPackageStrongNamecdrom.inf_amd64_3362899763b6c760 13241300x800000000000000035570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\FirstInstallDate08-30-2022 13241300x800000000000000035569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\InstallDate08-30-2022 13241300x800000000000000035568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\DriverVerDate06-21-2006 13241300x800000000000000035567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\Infcdrom.inf 13241300x800000000000000035566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\DeviceState32 13241300x800000000000000035565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\InstallState0 13241300x800000000000000035564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\Servicecdrom 13241300x800000000000000035563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\Enumeratorscsi 13241300x800000000000000035562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\DescriptionMicrosoft Virtual DVD-ROM 13241300x800000000000000035561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\ClassGuid{4d36e965-e325-11ce-bfc1-08002be10318} 13241300x800000000000000035560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\Classcdrom 13241300x800000000000000035559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\MatchingIDscsi\cdrommsft____virtual_dvd-rom_ 13241300x800000000000000035558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\ParentId{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba\1&3030e83&0&01 13241300x800000000000000035557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\DriverNamecdrom.sys 13241300x800000000000000035556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\Manufacturer(Standard CD-ROM drives) 13241300x800000000000000035555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.878{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000002\ModelCD-ROM Drive 12241200x800000000000000035554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDriverPackage\PermissionsCheckTestKey 13241300x800000000000000035553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDriverPackage\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000035552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDeviceUsbHubClass\PermissionsCheckTestKey 13241300x800000000000000035551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDeviceUsbHubClass\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000035550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDeviceInterface\PermissionsCheckTestKey 13241300x800000000000000035549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDeviceInterface\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000035548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\DriverPackageExtended\PermissionsCheckTestKey 13241300x800000000000000035547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\DriverPackageExtended\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000035546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDeviceMediaClass\PermissionsCheckTestKey 13241300x800000000000000035545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDeviceMediaClass\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000035544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDriverBinary\PermissionsCheckTestKey 13241300x800000000000000035543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDriverBinary\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000035542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDeviceContainer\PermissionsCheckTestKey 13241300x800000000000000035541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDeviceContainer\WritePermissionsCheckDWORD (0x00000001) 12241200x800000000000000035540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\PermissionsCheckTestKey 13241300x800000000000000035539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe\REGISTRY\A\{05d84711-1874-9ced-33c3-b56f6f9e52cf}\Root\InventoryDevicePnp\WritePermissionsCheckDWORD (0x00000001) 734700x800000000000000035538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000035537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x800000000000000035536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000035535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:26.862{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=4AD8F9F4964B64FBF79D463A5DD6EA3E,SHA256=AC4C94B14924434CA3DEFE224E80D3BFD8B4078841C3DF2268C46CF215AB0F1C,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 23542300x800000000000000035534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:26.362{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1178A96C54F206EA0BA490DBD87AB6,SHA256=B6E31DF68B4B03B8974F823F6A0534F1C0C7AE3BEED8E4B8941A0A13BDB88B91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:24.892{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63263-false10.0.1.12-8000- 23542300x800000000000000035589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:27.594{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB686ED731784B5014560C345564103,SHA256=56D92EE55C676490B4C8D55FD28677FF3A9848EA1CA61D244798A8DAED1C3A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:27.485{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:24.852{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50378-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:28.559{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E53AD542AA1C8B858376A1DC10B0A2,SHA256=9C0230D558100DD8AAA64725B2373D998996FFEA88FBAA39BE4211A594F1DA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:28.030{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116530D6F7534227A41AF201619A682F,SHA256=2A795DCC8B4386042A2C60F7707A50F3E5B98719C4717A19DC73781ED5CC511A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:29.639{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E836D96695D9E131970CB7461B8794,SHA256=63D4C4A8A2C772A4A82CF106D09FE038E2EB34671A78213AB472B26202C4B3D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.719{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.712{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.708{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.705{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.699{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.657{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.650{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.635{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.626{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.621{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.614{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.607{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.597{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.588{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.577{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.567{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.494{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.492{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000040557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.135{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD85D14D1286730C07196874CBBFC6D,SHA256=71A838795AEAD773F01B895E292AACC40A1199B8F01865C54BFDBD067D9F56F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:27.198{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50379-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000035593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:30.844{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FBFBD51B82024265E21F53B43F7C84,SHA256=A05CAF79C6CA5599A8B072DCBEF251B5A019D57C3222E29312C38ACB4C53E334,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.193{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.189{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.187{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.185{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.180{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000040578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.178{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75191A6F7E8E0B3C31DEABF4AAAFA7D,SHA256=0231E2C628B0A4FB03F7185B78F2547FB99E7322270C269A5A2F6B7E1071E815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.164{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.161{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000035637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.887{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.881{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.877{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.874{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.873{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.872{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.871{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.844{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000040589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:31.937{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:31.937{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:31.937{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:31.924{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:29.755{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse192.241.219.7zg-0829f-52.stretchoid.com58632-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local3389ms-wbt-server 23542300x800000000000000040584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:31.263{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC437B1D7CA329AD6A9ED7EDD91996F,SHA256=C4F42E76A210CB890A18F2529F6B6B3B37C7E5E0BD514665F2EF99A693EBFA44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.827{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.781{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.774{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.756{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.745{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.743{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.741{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.736{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.728{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.721{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.718{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.714{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.713{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.711{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.708{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.702{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.698{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.681{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.675{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.672{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.669{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.657{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.629{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.608{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.600{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.534{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.524{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.517{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.509{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.499{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.476{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.443{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.424{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.413{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.403{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 10341000x800000000000000035594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:31.398{3AAE424D-E5D3-630D-6803-000000007502}57526132C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001ACDC850) 23542300x800000000000000035639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:32.879{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247DD55D6061A232514960C86930E9A1,SHA256=A6DE5DF71FDF9118DD77FCE002A841722B2BE609E919502B701D046170F7D075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.808{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.800{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.776{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.769{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.761{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.757{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.755{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.753{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.751{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.748{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.746{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.745{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.742{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.740{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.740{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.739{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.738{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.737{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.735{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 354300x800000000000000040593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:30.845{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63264-false10.0.1.12-8000- 23542300x800000000000000040592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.372{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07177E783FD9B3F37833439669826A5B,SHA256=E372F4C3317884A52E8A408D1B93AD8557A063A8563811A9C32AF0CCBF2E9E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:32.136{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A7E9F8F0981650C5B004C370E94CE4,SHA256=DE13D26F4A4FA00E23618EAE13ACB4238E039EFD69BF83D5D9DEEADA0C0F5961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.227{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 10341000x800000000000000040590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:32.226{BEA5AFC2-E595-630D-7006-000000007402}52726516C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015C02CD0) 23542300x800000000000000035648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:33.948{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9E897DE8F03E084A904865EC5FB589,SHA256=C65816113B1A19C001FE76EFAD578266EAEF0EAD3FA3A231328ED9A3B5C68670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:33.443{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725BC5F0A76780722E34717FFF7D5169,SHA256=ACB81A54B1AC23AC19778F88AAE17A7827642EDDBE9C6351F68A4FE529302F4A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:33.638{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000035646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:33.638{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000035645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:33.637{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000035644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:33.632{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000035643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:33.632{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000035642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:33.632{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000035641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:33.630{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:30.791{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50380-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:34.542{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136BCAA7A2DC9361E59E818278E1F218,SHA256=B575449AA07E09BFB1227E9DD76316A2E62E1769C7179550913A951BFFF5AD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:35.635{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6508FCBC9E4F4BD97AD6261B509B9C,SHA256=0771A0753A6A67337558F5A9E1B18F9A13952F7E71F6EDC591ED530954EC6B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:35.041{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEF506852DB05BCB84679D068355297,SHA256=B7C729049E5397A5832AA38639B9DE7BDD489C19BA18FCEE1F5B1CE66D237B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:36.723{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AC50DB8445177CB545649C0AA5819E,SHA256=CE4A717731A8E3C5B732DB391E3A61B4B2DF8297A41C37AB8BCBD4764D2EEE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:36.136{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49120FA8FC3473828598A8E73A6423AC,SHA256=F361286AC165D6CEFAEF699C0BD8D04E61D07E207C300944E78A603E9DCDD0F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:36.166{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:36.166{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:37.817{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D336D49ACD6DD1449EE2C4595AF19D,SHA256=9E62251C26662DF6EEC5C5E4D987463A0985C106381C0EBA6D186C67C252A98A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:35.940{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63265-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local135epmap 354300x800000000000000040620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:35.940{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local63265-truefe80:0:0:0:8d82:ead9:cfe2:12d1win-dc-ctus-attack-range-146.attackrange.local135epmap 23542300x800000000000000035651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:37.238{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5226256429254372FE73C485A819BA,SHA256=066F314C61B7C7D239D0DA3A0BA6D6E453E43996F7CA83FB0A1A8F06FCD3B13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:37.008{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-063MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:38.894{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5971651DFD81270B72DA3FE7F62F127C,SHA256=D95F7BCDF5AC244F1315038D990D3D74C092E63D8B924740CB5BA69013DDAA25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:36.001{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63266-false10.0.1.12-8000- 354300x800000000000000035657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:35.896{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:38.340{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01BA04568994E6EBCFACCCE9EB4CF0B,SHA256=88DF49570D4711DAF8B3F63AE38E92624D264ECFAE4787411E374795A2806D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:38.021{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:38.277{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001602D0\VirtualDesktopBinary Data 13241300x800000000000000035654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:38.246{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 12241200x800000000000000035653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-DeleteKey2022-08-30 10:52:38.231{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001602D0 10341000x800000000000000035652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:38.231{3AAE424D-E5C4-630D-5403-000000007502}36044168C:\Windows\Explorer.EXE{3AAE424D-EBE5-630D-4704-000000007502}3648C:\Windows\system32\DllHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\combase.dll+abdf2|C:\Windows\System32\combase.dll+acb1e|C:\Windows\System32\combase.dll+ac92f|C:\Windows\System32\combase.dll+2f298|C:\Windows\System32\combase.dll+2eeb0|C:\Windows\System32\combase.dll+3be74|C:\Windows\System32\combase.dll+c29a4|C:\Windows\System32\combase.dll+38f31|C:\Windows\System32\combase.dll+3a880|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4 23542300x800000000000000040626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:39.877{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19060270D93C8000954B954CECB6E91,SHA256=A540B35FE5DAE87F72FC3D34DE40CCEEBFD6C2EB6751E67E987669BD81755F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:39.428{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443F6BB0F6CE711273C0A6A3ACB3B4D9,SHA256=7CCC7A824F6E72E9DCA87B1514F095F9C1D38B2A63838051580356886E2164BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:40.961{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1542EFA318574DBA6209788835C8DB5,SHA256=5C0C484055EA728AEBC685649B6CA4C6F48F23CD38E997E5A1EF7D755A779105,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.758{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000035713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.758{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000035712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.758{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000035711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.633{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892923F5046CF348CFB95D1FEF9E8B3D,SHA256=DF1B2B7484A10F83278829A5FC757D4B385D0E81A43039AB23B70B9E8A7E2BF8,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000035709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000035708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000035707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000035706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000035705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000035704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000035703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000035702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000035701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.602{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000035700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000035699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000035698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000035697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000035696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000035695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000035694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000035693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000035692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000035691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000035690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000035689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000035688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000035687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000035686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000035685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000035684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000035683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000035681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000035680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000035679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000035678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000035677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000035676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000035675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000035674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000035673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000035672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000035671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000035670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000035668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000035667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000035666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000035663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.586{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:40.587{3AAE424D-EBF8-630D-4804-000000007502}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.874{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247DD8C9DD6E09F68773780381215CCE,SHA256=EDDA2C95A213E16ED1C7010661B2B72FE8B1F09B8045D23CF93D2C00EF91A06A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000035818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000035817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000035816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000035815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000035814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000035813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000035812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000035811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000035810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000035809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000035808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000035807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000035806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000035805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000035804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000035803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.812{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000035802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000035801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000035800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000035799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000035798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000035797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000035796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000035795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000035794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000035793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000035792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000035791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000035790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000035789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000035788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000035787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000035786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000035785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000035783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000035781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000035780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000035778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.796{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.797{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.733{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=677B990872CD1A6512D86358DCF31C66,SHA256=556801A17559D827D3F4714E486018010AAC91EB80C314569D499A995526F2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.671{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11F3C773FB24AB4453E1BF102CD1967F,SHA256=16B0653DBCF50433862CB5D658ED3B79876E27333BD795C39779BBF21F921A66,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:52:41.227{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x800000000000000040631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:52:41.211{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\06A4B577-CE6B-4918-863A-B3583677E3E5\Config SourceDWORD (0x00000001) 13241300x800000000000000040630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-SetValue2022-08-30 10:52:41.211{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\06A4B577-CE6B-4918-863A-B3583677E3E5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_06A4B577-CE6B-4918-863A-B3583677E3E5.XML 10341000x800000000000000040629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:41.211{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:41.211{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.327{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000035768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.327{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000035767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.327{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 13241300x800000000000000035766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:41.265{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000035765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:41.265{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000035764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.249{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB9EBF1920D27D08560A6B687CEAEF8,SHA256=AFD120E45C1D32B7E6365F141535EEAC937817AA9F32F93CE125BD0BFB6E6C25,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.154{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000035762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.154{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000035761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.154{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000035760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.154{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000035759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000035758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000035757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000035756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000035755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000035754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000035753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000035752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000035751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000035750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000035749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000035748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000035746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.138{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000035745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000035744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000035743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000035742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000035741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000035740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000035739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000035738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000035737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000035736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000035735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000035734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000035733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000035732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000035731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000035730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000035729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000035728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000035727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000035725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000035724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000035722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.123{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.125{3AAE424D-EBF9-630D-4904-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.013{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E4A1DF91BAB6C7576CE6768687F7712D,SHA256=C3BA7292863389160B982017C65707AF64AECCD3B17976DAF1D086D3ABE5FCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.958{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2C8374D4C792E578896111484C1F56,SHA256=1D442FDC8C0043FC5FC754BAD9B173F103F08EBDA089CEDD4B44D74BDC3F134D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.948{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2557259C1A55618D18A2D0BEC754CD7,SHA256=A83F99C84362ACB62DBF45E2081662A449364C36E13C91AD9668D09E29751724,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.753{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000035873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.739{3AAE424D-EBFA-630D-4B04-000000007502}51963276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.739{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000035871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.739{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000040640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.900{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.900{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.900{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.205{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0943B0C438F92FC036646E02EEF9D8E8,SHA256=D3A313F00E2F2E1080A6EB99AD81E6E1CEE56EEB13CF143B2DC65EDD19F2A1D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.065{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.065{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DB65144CAF80AC5B138DA040524636,SHA256=E0213908317194A7317174882F4BC4673E4F69794895E107695367CB16B89E2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.065{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.065{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.471{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000035869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.471{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000035868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.471{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000035867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.471{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000035866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.471{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000035865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.471{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000035864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.471{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000035863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.471{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000035862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000035861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000035860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000035859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000035858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000035857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000035856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000035854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000035853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000035852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000035851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000035850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000035849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000035848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000035847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000035846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000035845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000035844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000035843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000035842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000035841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000035840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000035839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000035838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000035837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000035836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000035835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000035833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000035832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000035830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.456{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.457{3AAE424D-EBFA-630D-4B04-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.020{3AAE424D-EBF9-630D-4A04-000000007502}27044264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.020{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000035821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:42.019{3AAE424D-EBF9-630D-4A04-000000007502}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000035924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.932{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AEC80E4CADC221B84C0656AF136C27,SHA256=089A10B2AAC2C0E586D5D52E6E3769813E6DEC468F0AF27E31E5087B253C825C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.870{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000035922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.870{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000035921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.870{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000035920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.870{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000035919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.870{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000035918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.870{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000035917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.870{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000035916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.870{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000035915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000035914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000035913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000035912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000035911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000035910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000035909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000035907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000035906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000035905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000035904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000035903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000035902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000035901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000035900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000035899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000035898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000035897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000035896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000035895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000035894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000035893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000035892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000035891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000035890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000035889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000035888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000035886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000035885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000035883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.854{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:43.855{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:41.836{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63267-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000040643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:41.836{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63267-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000040642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:43.165{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=928E5356069C7A0D358270983EF22BD2,SHA256=45F07D3FC7E2ED8B2F7ECDFF6E20EF9706D0515AD481D214BA1B6E62E6CDE3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:43.165{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90AEB008E384FF485234780859425E6,SHA256=91D45011ADA4876263926AFCBA56F05921B178A6FC48D1055E0108C49D324456,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.671{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63269-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000040647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:42.671{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63269-false10.0.1.14win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000040646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:41.868{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63268-false10.0.1.12-8000- 23542300x800000000000000040645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:44.247{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCCC3F01A00FFAD1D795416CC710DE6,SHA256=5FE6FE59312F0C39644121F724CC82519EE7BDF0FC5B2A2DEEB4C3B3F86FF20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.696{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0D5FD608508E2DCFAD641E70FA9DBC,SHA256=AC960DF7ABF7655CE688C7853FF91A17AF163785C81DE7C7F90781D7E3139590,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.696{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000035986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.680{3AAE424D-EBFC-630D-4D04-000000007502}54685480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.680{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000035984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.680{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000035983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:41.839{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50382-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000035982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.540{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000035981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.540{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000035980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.540{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000035979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.540{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000035978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.540{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000035977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.540{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000035976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.540{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000035975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.540{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000035974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000035973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000035972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000035971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000035970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000035969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000035968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000035966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000035965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000035964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000035963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000035962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000035961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000035960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000035959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000035958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000035957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000035956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000035955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000035954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000035953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000035952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000035951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000035950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000035949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000035948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000035947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000035946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000035944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000035943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000035942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000035941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-DEE2-630D-0500-000000007502}4081028C:\Windows\system32\csrss.exe{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.524{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.525{3AAE424D-EBFC-630D-4D04-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000035934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.070{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000035933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.070{3AAE424D-EBFB-630D-4C04-000000007502}41645408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000035932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.070{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000035931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.070{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000035930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.004{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.004{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.004{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.003{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.003{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000035925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:44.003{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFB-630D-4C04-000000007502}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x800000000000000040649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:45.333{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1B9146DF23D54ED24E75D90FA9E519,SHA256=33193EC0565C2FEBAE763E1B8F5710FC4FD178A42A17EF6713C5573DE2D7195E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.978{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.978{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.978{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000036109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.942{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56,IMPHASH=239D379DAEC05CA48775D7DD3AA4BFCAtrueMicrosoft WindowsValid 734700x800000000000000036108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAE,IMPHASH=9A2F821D250C4CEBC0627590331B869DtrueMicrosoft WindowsValid 734700x800000000000000036107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375,IMPHASH=1278B10B4CD792CEC37AF93D76A387ECtrueMicrosoft WindowsValid 734700x800000000000000036106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.859{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6,IMPHASH=72061958A1119B16F6B4694A68C7F8CBtrueMicrosoft WindowsValid 734700x800000000000000036105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.827{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x800000000000000036104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.827{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 13241300x800000000000000036103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000036102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000036101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000036100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000036099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x800000000000000036098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500_Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 734700x800000000000000036097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0,IMPHASH=1277B5BCF0437BEA5158FFB1086840B6trueMicrosoft WindowsValid 734700x800000000000000036096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.827{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4,IMPHASH=D74AB287506D6E20949755E75302AD32trueMicrosoft WindowsValid 734700x800000000000000036095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x800000000000000036093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.843{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x800000000000000036092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.812{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\schannel.dll10.0.14393.5125 (rs1_release.220429-1732)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=6E1B17C60BE7B7BB5D75BDB52B84B18C,SHA256=281F48D64784B48E0AAA6C3D5EC429C055977A3E65E818F5C8A3F8163ABBB264,IMPHASH=D9603397C5B04530FFA0321E70FF2308trueMicrosoft WindowsValid 734700x800000000000000036091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.782{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88ED,IMPHASH=6097EA32A6AE2378711DDF884725A2AFtrueMicrosoft WindowsValid 734700x800000000000000036090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.782{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94C,IMPHASH=98E0DBCEA076EF80E7DE241072E34656trueMicrosoft WindowsValid 734700x800000000000000036089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x800000000000000036088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.782{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 13241300x800000000000000036086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000036085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000036084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000036083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000036082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.750{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\credui.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Credential Manager User InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationcredui.dllMD5=F3EA67955C81EDC0351A4E7418EEEAF4,SHA256=1DC9FF6C665A376789094BF59DCF125A7BE0280D798C74C0853AD1D808104F5D,IMPHASH=4559CD65117B2CEA951EAA739A2320C9trueMicrosoft WindowsValid 734700x800000000000000036081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\urlmon.dll11.00.14393.5291 (rs1_release.220806-1444)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=EB23BDE140B2A7A40A10923024B4B945,SHA256=F839955D9722980FEC4540AC2FFE3C8225434A40FDF12C7F6A67E9FF3B7AA7E8,IMPHASH=E530C982EE775310D0834EA7C551BBFDtrueMicrosoft WindowsValid 10341000x800000000000000036080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.766{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000036079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 13241300x800000000000000036078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 13241300x800000000000000036077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000036076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000036075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000036074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.766{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=44DF25F229E9374FA1290BE1CA03026B,SHA256=A446A296E85934FD9D10D7BD5B086FE6B4972FD7E93D4CC0ADC1068DD7A5AD81,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 734700x800000000000000036073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5127_none_aec7dd25ddd79049\GdiPlus.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=7278B609C8DAD47E0E93DBB4D49361D1,SHA256=B9FB1418BE46EACB34582BC8F4E867CE4AD7D3C580987AFE0A8EC55ED30A5247,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 734700x800000000000000036072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.750{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x800000000000000036071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.750{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=52FD1288FED0BD435BBA02023D8A5394,SHA256=C277A8E6B6E25656085647270AF0D6673DD3C6B29C99260825CD5909FCB82549,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 10341000x800000000000000036070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.750{3AAE424D-DEE2-630D-0B00-000000007502}624672C:\Windows\system32\lsass.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.750{3AAE424D-DEE2-630D-0B00-000000007502}624672C:\Windows\system32\lsass.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.750{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000036067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.750{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000036066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000036065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000036064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000036063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000036062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\logoncli.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=4D97A8DA0BF104134C81170C31EA5A69,SHA256=5A85BD08422227F07863837184163A289AE288FC9BD07389AA5C3BFB0A627888,IMPHASH=38941DF5102FFD817983A19701DCDF2AtrueMicrosoft WindowsValid 734700x800000000000000036060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x800000000000000036059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.734{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000036058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.719{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x800000000000000036057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.719{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x800000000000000036056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.719{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.719{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.703{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000036053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.703{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000036052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.703{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.703{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeD:\versions.dll10.0.19041.546 (WinBuild.160101.0800)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=17C1E1099B65051BB6DEC71FEA37315B,SHA256=E549D528FEE40208DF2DD911C2D96B29D02DF7BEF9B30C93285F4A2F3E1AD5B0,IMPHASH=34340C2C4E9AA6EF6AD12BB695FC695BtrueMicrosoft WindowsValid 10341000x800000000000000036050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.703{3AAE424D-DEE3-630D-1400-000000007502}8641244C:\Windows\system32\svchost.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.703{3AAE424D-DEE3-630D-1400-000000007502}8641088C:\Windows\system32\svchost.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.703{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000036047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.688{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeD:\version.dll-----MD5=1563C707316C4B74E1B697D924AC22C1,SHA256=CAB0DA87966E3C0994F4E46F30FE73624528D69F8A1C3B8A1857962E231A082B,IMPHASH=F70C41D0AF3624EE1F132F4C9A493CD3false-Unavailable 734700x800000000000000036046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.703{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000036045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.688{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000036044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeD:\ONEDRIVE_FOTOS.EXE22.131.0619.0001Microsoft OneDriveMicrosoft OneDriveMicrosoft CorporationOneDrive.exeMD5=46BF70C230EF3BA46A940F5D1B65A0D8,SHA256=A8F50E28989E21695D76F0B9AC23E14E1F8AE875ED42D98EAA427B14A7F87CD6,IMPHASH=5376275FACF4854E0CBACF9C99F1CC50trueMicrosoft CorporationValid 734700x800000000000000036043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.688{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000036042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.688{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x800000000000000036041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\wininet.dll11.00.14393.5127 (rs1_release_inmarket.220514-1756)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB9D348470B507BC5761495A04335B06,SHA256=F538BC5C83DC2A3ECAF99BA1786066A6D511DA2BC3971B937882171315AA46C0,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 734700x800000000000000036040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000036039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000036038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000036037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000036033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000036032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000036031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000036030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000036029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 13241300x800000000000000036026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.673{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{05D91559-DF1F-454D-96B2-16BFDC46187D}\LaunchCountDWORD (0x00000001) 13241300x800000000000000036025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.673{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{05D91559-DF1F-454D-96B2-16BFDC46187D}\LastAccessedTimeQWORD (0x01d8bc5e-0xa316d580) 734700x800000000000000036024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x800000000000000036023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000036022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000036021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x800000000000000036019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x800000000000000036016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000036015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000036011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.673{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x800000000000000036010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x800000000000000036009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\System32\devrtl.dll10.0.14393.0 (rs1_release.160715-1616)Device Management Run Time LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationDEVRTL.DLLMD5=103D84E49F517098C0E8E14044BB1F73,SHA256=370BAADCA5D39C94A532D2E80EBA6CA537B47E41038A332412AEE4BBA5F025B9,IMPHASH=5DE6FAFA9C141BF53E629553C4AB42FBtrueMicrosoft WindowsValid 13241300x800000000000000036008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.656{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{05D91559-DF1F-454D-96B2-16BFDC46187D}\LaunchCountDWORD (0x00000001) 13241300x800000000000000036007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.656{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{05D91559-DF1F-454D-96B2-16BFDC46187D}\AppIdD:\Onedrive_fotos.exe 734700x800000000000000036006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 13241300x800000000000000036005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.656{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{05D91559-DF1F-454D-96B2-16BFDC46187D}\LastAccessedTimeQWORD (0x01d8bc5e-0xa316d580) 734700x800000000000000036004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 13241300x800000000000000036003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.656{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000036002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.656{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXEHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\Barqevir_sbgbf.rkrBinary Data 734700x800000000000000036001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000036000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-DEE3-630D-1200-000000007502}9964368C:\Windows\System32\svchost.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000035999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:52:45.656{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exeHKU\S-1-5-21-2267825782-3364771655-2859376502-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\SIGN.MEDIA=B16568 Onedrive_fotos.exeBinary Data 10341000x800000000000000035998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-DEE3-630D-1200-000000007502}9963216C:\Windows\System32\svchost.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-DEE3-630D-1200-000000007502}9963216C:\Windows\System32\svchost.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.656{3AAE424D-E5C0-630D-4003-000000007502}31522300C:\Windows\system32\csrss.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.641{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.641{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.641{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.641{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.641{3AAE424D-E5C4-630D-5403-000000007502}36041008C:\Windows\Explorer.EXE{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e73b|C:\Windows\System32\windows.storage.dll+16e451|C:\Windows\System32\windows.storage.dll+16e09e|C:\Windows\System32\windows.storage.dll+16f340|C:\Windows\System32\windows.storage.dll+16ddee|C:\Windows\System32\windows.storage.dll+fce8d|C:\Windows\System32\windows.storage.dll+fd5cc|C:\Windows\System32\windows.storage.dll+fc930|C:\Windows\System32\windows.storage.dll+16650a|C:\Windows\System32\windows.storage.dll+166262|C:\Windows\System32\SHELL32.dll+9cafd|C:\Windows\System32\SHELL32.dll+9b696|C:\Windows\System32\SHELL32.dll+8dfa9|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+157b8c|C:\Windows\System32\SHELL32.dll+1578e3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.619{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe22.131.0619.0001Microsoft OneDriveMicrosoft OneDriveMicrosoft CorporationOneDrive.exe"D:\Onedrive_fotos.exe" D:\WIN-HOST-CTUS-A\Administrator{3AAE424D-E5C3-630D-A9E7-310000000000}0x31e7a92HighMD5=46BF70C230EF3BA46A940F5D1B65A0D8,SHA256=A8F50E28989E21695D76F0B9AC23E14E1F8AE875ED42D98EAA427B14A7F87CD6,IMPHASH=5376275FACF4854E0CBACF9C99F1CC50{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000035989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.046{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB2656FA3027B7FE5D8A022C0962118,SHA256=B2167FDFEFFBC65341A7CEF7CC5C64DDEDE4550DB39FBC8751C1D788D7EB4AC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:45.570{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal57773- 23542300x800000000000000040650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:46.427{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40119DB4961BF82C481330479368F031,SHA256=752890A71B815FCC798DA364079B8E1EBA440DE66AE20438CE91773CA85F6290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.729{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D218AFCC9293426A9AEAB3F5D3FF101,SHA256=E0336F973761EBAF918B5E81A0C71018E6E4706F9F1C36A97040E7037A52B68E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.275{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000036168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.275{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000036167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.275{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000036166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.219{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836ED73C834FDB3705E456F1C377E5A9,SHA256=631AE049D72B093DA89C93F33D03FD48F42027C1F637D0646775D9133CF604E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.218{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C3575F2B3A314057CFA6D1B22F2F5874,SHA256=976CF0F10B330F00359335CF23169977654A78AF83E039264319BF44DBD833D9,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.093{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.092{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.091{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.091{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.090{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.089{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000036158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.087{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000036157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.124{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.123{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.122{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.121{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000036153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.120{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000036152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.119{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.087{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000036150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.119{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000036149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.112{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000036148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.086{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.108{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000036146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.107{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.107{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.106{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.106{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000036142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.106{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.104{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000036140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.101{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.101{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000036138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.101{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000036137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.100{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000036136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.099{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000036135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.099{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000036134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.098{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000036133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.098{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000036132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.097{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000036131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.095{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000036130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.093{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000036129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.093{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000036128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.092{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.092{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.091{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000036125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.088{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.086{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.086{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000036122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.086{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.086{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.086{3AAE424D-DEE2-630D-0C00-000000007502}7204228C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.085{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.085{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.084{3AAE424D-EBFE-630D-4F04-000000007502}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.082{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328D5DFEC42790796FE25A4E51BC9BB2,SHA256=D9E7FDD0ED1997B70DC00675DBC417794304956679C49A71DBCF26D5B7FB722C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.027{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.026{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.026{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 354300x800000000000000040662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:45.657{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal62255- 10341000x800000000000000040661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.591{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EBFF-630D-4207-000000007402}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.591{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.591{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.591{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.591{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.591{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EBFF-630D-4207-000000007402}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.591{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EBFF-630D-4207-000000007402}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.592{BEA5AFC2-EBFF-630D-4207-000000007402}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.529{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5696EE8705E993074566E256D20EF5,SHA256=50B7A4F0CFE6A23EFB3A2C3300C0E9FC3E0458A7C8C50AA7A72EC4F0B0D0C6D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.498{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E9783C45BA1CDAAEFD401299A2E963D6,SHA256=D9334DB680B0C9BFBF1CDF18D870242AB20F5ACE91FA61F9920D348844AFD5B5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000036178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.791{3AAE424D-EBFD-630D-4E04-000000007502}1044d1mk8l112pgjru.cloudfront.net0::ffff:13.33.165.110;::ffff:13.33.165.21;::ffff:13.33.165.98;::ffff:13.33.165.88;D:\Onedrive_fotos.exe 354300x800000000000000036177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.603{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50384-false18.67.21.202server-18-67-21-202.yto50.r.cloudfront.net80http 10341000x800000000000000036176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:47.672{3AAE424D-DEE3-630D-1D00-000000007502}19602580C:\Windows\sysmon64.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:47.672{3AAE424D-DEE3-630D-1D00-000000007502}19602580C:\Windows\sysmon64.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:45.523{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50383-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 10341000x800000000000000036173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:47.672{3AAE424D-DEE3-630D-1D00-000000007502}19602580C:\Windows\sysmon64.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:47.672{3AAE424D-DEE3-630D-1D00-000000007502}19602580C:\Windows\sysmon64.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:47.391{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7DFF6A36E21EFFA073EC95BAD3AC7B,SHA256=272F34DEE6FA7671C3AFBF91AB928E3F7CCDEE73C70B0B70B2BC0EB76FE3BCA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.227{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal61131- 354300x800000000000000040683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.014{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63270-false10.0.1.12-8000- 10341000x800000000000000040682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.935{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC00-630D-4407-000000007402}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.935{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.935{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.935{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.935{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.935{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EC00-630D-4407-000000007402}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.935{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC00-630D-4407-000000007402}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.935{BEA5AFC2-EC00-630D-4407-000000007402}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.606{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08983AA98B7BBF1434C7C685724E9770,SHA256=971B8D992E3CF8CF920ED3FA87E59B8351C3EFEBFF4E5E17AB6A5FB0FC4C0991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.519{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F4EBACC48C9E3E238E2531EEA184C6,SHA256=745F4B0DC750A6B86CD2955939D532B026D6335EDECF554CD67A1849F93D2D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.507{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F0A3FDB1CDD7F54E5F5CA3CD5EA53A3F,SHA256=AA5C8ABA31A90E1702804F8370E9CF6FCE27302CF774AADD4E6EDB50EFB0E59D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:46.915{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50385-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:48.470{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A93A1A848C1CFFF07DCA3063762990,SHA256=8480C4CEA6E540069E78F001CC82C3C5478A3C71000A2206A4C687462EBCF67C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.472{BEA5AFC2-EC00-630D-4307-000000007402}69685268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.264{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC00-630D-4307-000000007402}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.264{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.264{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.264{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.264{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EC00-630D-4307-000000007402}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.264{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.264{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC00-630D-4307-000000007402}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:48.265{BEA5AFC2-EC00-630D-4307-000000007402}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.977{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal52554- 354300x800000000000000040713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:47.240{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal51346- 10341000x800000000000000040712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.789{BEA5AFC2-EC01-630D-4507-000000007402}45686848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.635{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.626{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.620{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.618{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.616{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.605{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC01-630D-4507-000000007402}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.603{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.603{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.603{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.603{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.603{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EC01-630D-4507-000000007402}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.602{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC01-630D-4507-000000007402}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.602{BEA5AFC2-EC01-630D-4507-000000007402}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.595{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0B0C28AACA3CCDA620D3C22FAB13A3,SHA256=596C4EC4631A02FAF4E3C06CB4E6F89D1E094DEA8D5A67DF1AA268924FBEDEE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.593{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.588{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.575{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.569{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.563{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.555{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.548{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.538{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.532{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.524{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.517{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 354300x800000000000000036182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:47.927{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50386-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000036181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:49.571{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D615A86890639F7F615F8D70A25B8B1,SHA256=6A9CF3E0212C5E24FCB78EE3DB0911C1933C671341EE2DBE72D888A3821B9146,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.479{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.476{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 22542200x800000000000000036184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:48.198{3AAE424D-EBFD-630D-4E04-000000007502}1044d1ashlvz1t40i3.cloudfront.net0::ffff:99.86.63.60;::ffff:99.86.63.86;::ffff:99.86.63.39;::ffff:99.86.63.85;D:\Onedrive_fotos.exe 23542300x800000000000000036183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:50.652{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351AFA19EA42C01206BCB7BF4B799C0A,SHA256=1BAD157D875E86C4923FEF2D131B9E9225C4F29EDA9631CB1D9F60818BCE6C23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.731{BEA5AFC2-EC02-630D-4607-000000007402}6388728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.579{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC02-630D-4607-000000007402}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.577{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.577{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.577{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.577{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.576{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EC02-630D-4607-000000007402}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.576{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC02-630D-4607-000000007402}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.576{BEA5AFC2-EC02-630D-4607-000000007402}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.073{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.068{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.066{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.065{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.060{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.045{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:50.042{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 23542300x800000000000000036230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.902{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F39F5D7937F66B2A6523E683BDE7238,SHA256=D623776E7F2E4EF8FDAAAE19634AA8E10AFCAFBA6F40CA039B4E1E012715AE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.807{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EAC85C32DA7C3541D5B55F76DBC97F47,SHA256=18123099D1C9D303BED2E0220F15E9AA0DD27C4B55EAD43BE3A5BD5E176C7EDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.783{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.781{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.780{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.777{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.776{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.775{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.773{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.750{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.729{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.666{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000040749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.907{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC03-630D-4807-000000007402}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.907{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.907{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.907{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.907{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.907{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EC03-630D-4807-000000007402}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.907{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC03-630D-4807-000000007402}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.908{BEA5AFC2-EC03-630D-4807-000000007402}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.633{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D16DA5FB8F996BE1FBA23C3627CB8F6,SHA256=13C0FF6C1FEB0AA686FE8A16768E7CCBB51AFE8E13E9E37BF67D82E911CEC414,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.652{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.632{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.626{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.624{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.617{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.612{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.609{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.608{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.602{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.601{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.599{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.598{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.595{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.593{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.591{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.583{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.577{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.574{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.571{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.553{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.529{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.525{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.515{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.478{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.470{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.462{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.455{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.436{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.431{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.420{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.410{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.401{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.391{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000036185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:51.389{3AAE424D-E5D3-630D-6803-000000007502}57525852C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC3D0) 10341000x800000000000000040740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.248{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC03-630D-4707-000000007402}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.248{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.248{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.248{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.248{BEA5AFC2-DC80-630D-0C00-000000007402}8522696C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.248{BEA5AFC2-DC7F-630D-0500-000000007402}416500C:\Windows\system32\csrss.exe{BEA5AFC2-EC03-630D-4707-000000007402}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.248{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC03-630D-4707-000000007402}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.249{BEA5AFC2-EC03-630D-4707-000000007402}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:51.043{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16605B59BB9E1B76C4787CE25E505356,SHA256=EE4209AF4C9B55C31FD43976FB8ECB712ECA1D5D920297BA5FD90FF49C1882B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:49.297{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal61247- 23542300x800000000000000036232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:52.922{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08632AF70C0F157584DDF136B3D6EC1,SHA256=DBFD4758C97FB9511CCBBF0F8B2BA96665C7C2962CA7087F842DF7282EF1E4E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.713{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFAD8A4259102E49A86610A172E043E,SHA256=A9709A5A09BD278922D09F77C84F8455D12169CCDBB753CF47A36F9CDE3AD46F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.702{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.694{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.671{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.660{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.650{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.646{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.644{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.642{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.640{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.637{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.634{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.633{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 354300x800000000000000036231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:50.230{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50387-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 10341000x800000000000000040759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.629{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.628{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.627{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.626{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.625{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.624{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.622{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.113{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.112{BEA5AFC2-E595-630D-7006-000000007402}52725352C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012980190) 10341000x800000000000000040750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.049{BEA5AFC2-EC03-630D-4807-000000007402}1352368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:53.669{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8892058D0BD1FCDE2D1D5C0ABCAC53,SHA256=A492216D1A2F3E758B8AF443078A7AA59E39FAFB8B6506A772524BC8DCC2BFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:54.761{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC7CDAB5FCD785CA57AE056A40ED204,SHA256=681BF8F0B3DA5D9A2E1BDFDFDCDD2336BD5F3D2E82AE4511A561B61B2C03A0AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:52.916{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50389-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000036234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:52.500{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50388-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:54.018{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC69177DE2993DA58AEDD66F85AC0BF,SHA256=29D08D76D3305AE96283A10F176702282BBB36A6341B3706009C0B6B74FA79AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:55.856{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B297602E981436F3EBFF4E9760F9821,SHA256=C9ECA56855471DB38F3EC7BA3CA957A487445F231BEA4E3ACB9779B1C27CA2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:55.107{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AB7A012BAA50F7DA56796EF51BAD43,SHA256=58EA4DAE6EC38FD0BDC683F482EC00ED6300D48DB1886F7D1A3D3BA5E6C0A326,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:52.790{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63271-false10.0.1.12-8000- 23542300x800000000000000040777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:56.958{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212906034002DD4D9914A7A91EA11F8E,SHA256=7B2E87DA883FC392A8849A7C392C207627DC91F7B7D034715C8CFCD6A105BC83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:54.794{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50390-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000036237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:56.179{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4124FB1A82415D6ACDF1CBB8F9ED304,SHA256=4650125359896FB2EA49C0459C45CADADA071855D0D35348F1F42ABA1AEA351D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:57.272{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE6274F863EC44C6314F9C61E393EED,SHA256=C0844D4F0433025F5BBDCFAD6C056A886434D0FCDBCFEA081CACFB75D504AD5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:56.960{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50391-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:58.474{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C309064EBFB9A3D228D44E949A6F08,SHA256=13F41434D518C902CE3D27EA9431BFF88767C63F031FCF25955359F41D9F22F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:58.041{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884EF0F3668B10BCE56FD34E1EB5DFDA,SHA256=2CFBE45F994F1F1FA0AD6A147C0BB6660DDD327AEBAAC1E57A4B9A6BB272EAE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:57.920{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50392-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:59.556{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDAD7226445C137C3636751032D2EA6,SHA256=5DB229E1B57C1352EAF55BCD5CA77E185380B6B805B3611B4D8318B18BA9C9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:59.139{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC5BCA3A43626640BC67F9BB2627C24,SHA256=37E60AB88831B2E032F595AC7BCB8DAD2DF2331C7499C2D5D791385B4CCB8403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:00.652{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F82626AC3DC0ACE136B2AEBE8F51F4,SHA256=933FA07014B5FF5A00B2E96DE11A30BB3D6F1A0C73C84736A7B9AD104834AC6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:52:57.984{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63272-false10.0.1.12-8000- 23542300x800000000000000040780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:00.231{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72821697499C6ED66C0C64239AF6A2D3,SHA256=E5FFD4900977438F859A34D6C5165D530108DA21FDBDBAD9D4D661C01245E4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:01.856{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A3024F1D7066B4D55E0ECEAAC041B3,SHA256=E478AED28F7097BADEBDFE661C7ADF07576B367DA7EBADCE52B1741E9D5E3717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:01.323{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA1DFD7EF52DD2107214E4D7C2902E5,SHA256=1B439824DBC4E8077CDED4777935830E4A6BDFF6A4E8B80EC8F65D2F468EF9F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:52:59.141{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50393-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000036247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:02.923{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4203441679D48CFD00A7210B520154E3,SHA256=D0ED344111BAB15C7EC08870ABC10DEC2010430542A4F7A484E6DC963A4E0AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:02.410{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFC98784AF6058DAAAAFCF1CBA7A458,SHA256=F5DF8DE942F7A84087000A0CF6BAB465C8FC4CCEEABD66CCD77CAC3BF3343282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:03.514{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DFE09CEB6AD4965F00FE7120A53798,SHA256=E127D74B370E801AED5D59AA0E52D3907D05CEF1DD93AE536E6AF307045918C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:01.392{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50394-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000040785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:04.599{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07B6BB63FE30517879F2019F299489,SHA256=8EE89DDD7E836E8ED0431FE5F144C6B13ED740634E3B63B463BDA60695F3526A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:04.241{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A892411CD38F087EC048751688B7B4,SHA256=FD259DF1FF32A1F174704D10F9946D3E34375F25B44A83564A715A0FD958465C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:05.687{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AECA0D1FBCE3D1F3D6421AE1BA8E44,SHA256=EFCE927EE4B7AFBF7D62A52FA3B4F22D5DE41547D08DCAD9E7B7E991595245D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:03.890{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50396-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000036253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:03.553{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50395-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000036252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:05.313{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C718694F64F46C56304EE25F26842D,SHA256=B9A8CA2C9229D55A131167319042F3161F368F8DDECEA0AB8251D2412A8EF10C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:03.917{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63273-false10.0.1.12-8000- 23542300x800000000000000036251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:05.177{3AAE424D-DEE3-630D-1400-000000007502}864NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=63630865B8D438C32ABF77C953530CB3,SHA256=D205409991CAD2B9C2EAB08CE1EC3FD02AA808798A849AD02411F5ACD5687168,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000036250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-SetValue2022-08-30 10:53:05.158{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup\LastActiveTimeBinary Data 23542300x800000000000000040788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:06.794{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC241969F4E5D4E0F0F2AE6559ECA3C4,SHA256=452D3D0188B7DD75A7218C27C03B18AB79301B20B40961ACB48F40BA8EFE791F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:06.400{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533CFF0E0FCBE44B9B95BC07E0413534,SHA256=1EF7FC22FB50C666D51EEF5FA0B8ABD1A41C2A952ABE193AD926795478341746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:06.259{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0FEF6E66A960499FA52CEE6CA8B05791,SHA256=7EF4845230F3309C5FB3193A9DE5C6E6EE7397235554E55A8EEDE56D0BF47B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:07.895{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9936416700BD7921DFA19A07720908B8,SHA256=C8F843EB89CFAF2E9BAAF596D74B06D85EE73E66DAE55F024D999DB84A599D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:07.491{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5C53D38119888DE6B1AF9E21404C85,SHA256=48032F94B53CC0A31770A8C45A0150FCEE18EB7450B6FF731BF3BF5D525B687B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:08.989{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2992136636C8B1B9AB50C1DC3D20186A,SHA256=673F91135BDE54B02E80892D0065AE5F5572BBB7BCC68DD44511F1EFF1F24EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:08.587{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14425EC236CCF096B893AD2D3A706AC,SHA256=BD43408461BBE5DDC54E4A8AFD524AFBD53E5BAC7A98EFEC223CFB2413C295F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:05.805{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50397-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000036260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:09.668{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933D33E6EBC6855A65000F99540E0FD5,SHA256=55644087CB9018E4D1EF4DC56507D4E59187AF7FFEE0CB3569606B81565C0EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.663{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.652{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.650{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.648{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.646{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.615{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.610{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.596{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.588{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.583{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.575{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000040798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.567{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.565{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.554{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.546{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.537{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.530{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.492{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.489{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000036261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:10.758{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7CF2AEC9D337C3AAFB64904FC27A7D,SHA256=7A1DEF873AAF5D2D1D026F32B91221E14A2EE69164695C779B95F950C3A7B0F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:08.995{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63274-false10.0.1.12-8000- 10341000x800000000000000040817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:10.100{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:10.096{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:10.091{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:10.090{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:10.085{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:10.079{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:10.076{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000040810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:10.045{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BEE5CAE347E1FC1A89937F7B97B881,SHA256=06C72CCAB483ECC68BA8C3671466F2CEEA0139872D9A9984C80F882AA14CBAF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.897{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.895{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.894{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.890{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.888{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.888{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.885{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.852{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x800000000000000036299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.842{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=77E88A255E0A6C031E4B9707F24DDC99,SHA256=44E60D7916A85C09B620FA94AC3E7960D2C4C9D499F20CEE1DE23FB303B7BB10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.812{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x800000000000000040820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:09.324{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63275-false10.0.1.12-8089- 23542300x800000000000000040819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:11.134{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B48BA81862EEAA7954AA5AC3913C0CD,SHA256=D7F5302C1A5EC22AB8088AE18B2A3352ED2A5A5478A521011B664FCA1D68EE29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.749{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.736{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.716{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.706{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.698{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.694{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.688{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.678{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.677{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.668{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.667{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.663{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.661{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.652{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.650{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.647{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.643{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.634{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.629{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.618{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.609{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.590{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.583{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.565{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.505{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.494{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.479{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.469{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.450{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.441{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.427{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.410{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.386{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.378{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:11.373{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x800000000000000036262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:07.962{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50398-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:12.911{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950DD8D592A0A3D3CABA447E872AAEB9,SHA256=E5BD63B699E772909637566D6BB829B7743515489A8EE29F02D3F1204CC87593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.735{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.727{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.704{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.695{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.687{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.682{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.680{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.678{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.675{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.669{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.663{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.662{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.659{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.658{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.657{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.655{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.655{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.654{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.652{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000040823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.226{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77762D34C534FEB5086517791AE2DF67,SHA256=6B7E158C8E6327AB241F6FA09F89376A52FE3E3B0C53CF834C3620F9784EEAC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:10.258{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50400-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 354300x800000000000000036309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:09.762{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50399-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:12.106{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26535ABD4C912ABAAB9A6BB2ECC20B5,SHA256=B16A9A5A1B20E987766E42EF22FE93423593191D19CC8CC7218351B71DB59131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.132{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 10341000x800000000000000040821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:12.131{BEA5AFC2-E595-630D-7006-000000007402}52725360C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000129003D0) 23542300x800000000000000040843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:13.303{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412D5646D849CD0DFAFCB388FC2DA639,SHA256=BF0509B2AEAA58E9869FEEEB282164E42760C18BC82CF5491565AC025CDF13D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:14.695{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45856E98F19E552EB160ABA431E602AB,SHA256=FAB4A11F60F0F49E3014ECA350F5B93FE2BD4E3859CDC425D84921183A0A0724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:14.381{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58F05C85BAF340EE5A655D7317DF3C4,SHA256=64E53088D98FEAE382FD372643EA9D47C4C8C0E4F891D8FAE2CDBD3029FD7C01,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:12.552{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50401-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:14.000{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72DE11A2D341A72C2C1E5EBAF0CD5B6,SHA256=7BB1346EBB0C8A5A2B1EACAF1314073F6B089DAF63996804E1AE8BF980F473C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:13.289{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63276-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 354300x800000000000000040847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:13.289{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local63276-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-146.attackrange.local389ldap 23542300x800000000000000040846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:15.480{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD68A974779192266114892823B2657,SHA256=75228A41B12DC2761AB611A7E06E0335C2D746C646BC25F318E37AEF1F5E4F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:15.093{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB4CD81F94FEEF6451CD74C9E415351,SHA256=E289585EE19C6944CD1358709CE2D01B99FA46DBD2D097C7C5AF7707651A56BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:14.923{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63277-false10.0.1.12-8000- 23542300x800000000000000040849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:16.569{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9509F91CBA2BA23792269D576047E07,SHA256=AA98BA2D902EC3A71C27DA8186EAE476E97814A0F413D9774DE59AD6B744BEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:16.215{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\respondent-20220830095653-054MD5=D4339613963D06E92774A3EB9FED8697,SHA256=EC6B2C8C371CA336E2A0B482E95A3B0DACA37B87AC3FADB516AE5F6436D8643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:16.180{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EA17FFE9E5A5882C5674A71CAB84C5,SHA256=CD04857044D0E8CE4125292123DED092227603EEC8A225E8CDE512CC01DF953F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:17.862{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BF2A87CDA3015BA65ACDEC369AE54D8C,SHA256=215B748319EEBFA78294976C4A4F430A170CE545F2A07FF0C771084DAA0F22F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:17.659{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55E9A17048330D33044B4808750BD59,SHA256=05B41F191F37226F04551A07E514FE4F6A9D0C02C7107008C5718FB3D3DC715E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:17.275{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D224CC76BE1EB71661AFF39E1B355FB3,SHA256=C74B8C39A27A53A4411A29CC95A6B6CE6C91793847360856E7360541871F07E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:14.884{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50403-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000036318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:14.718{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50402-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:17.216{3AAE424D-DEE3-630D-1A00-000000007502}1788NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-057096b16942fd9f4\channels\health\surveyor-20220830095651-055MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:18.760{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70935EC75B015869E5D6DF35B1C23D1,SHA256=FAC4F55B7D20DEFFE99C5F7534821E7E294BBA4ED83986E86704AA9048181EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:18.253{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D3D040BBC7F23DA2417CED11F6C87B,SHA256=37001A437BEB56C5A21EA69EC91AA901FE9E6112C7B19C6D5BC4724E666AC06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:19.845{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24C59E03BB9503FA06521686BCBDF39,SHA256=05A114C36B7FA4AF6F9AA6A4014DFFAF72774CDE046AF1D8191316B30EE45BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:19.353{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C83D52741F2392C96B884EF1AFA612,SHA256=58682072DF1E4188269824E48962C2BBD339EE8E3D0C3558A7F83181C613B390,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:16.886{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50404-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000040855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:20.932{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60BD6BF5E1FCA854B7B5A9BF5749AEA,SHA256=C7C787313685832E008BBFD6A43BC356B33B72385F510FA2FAB60C18DFF8470F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:20.325{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D44A1637620CA98F90C11AC7C6A3662,SHA256=B1537B986C79F2987E459B41DBB91237489A3B03E96E89240D3AA727326925D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:21.425{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E390A74E57462C736950898A64784BFC,SHA256=AF3377B731C74BAE289285162AE1BF498F6C734EB3C904F7189AACC2AE8DB2EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:19.165{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50405-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000036327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:22.521{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE72F942B467D3B633C5CC93FB35307,SHA256=075BFD8D8FAD291267EF57B1366E50CDC385112C7697E8CD17F3C8A2AAFA29E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:20.882{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63278-false10.0.1.12-8000- 23542300x800000000000000040856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:22.025{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D415067D17744FAF932F52FE9A6FC,SHA256=448DD3870C3870F39D7661ED7805424B01B4E5F06E9D3EFC2E46C05F2041DD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:23.621{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E30D1C6878F3C037FDC9E171AE95FEC,SHA256=2E12A0E2F4ED15A4D89E34E0EB060569FBD267FC4E6ADE4AC392D2EA353CE453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:23.123{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F4346E88BBABB49DACF1386C3B3848,SHA256=CDD530461CA4A7D978BAD184DBEBC98B8D175E657275FA37E427B9B5EB5DEB01,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:20.887{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50406-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:24.716{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE423DCBFCF05A44F8E9EC4B02A73AEA,SHA256=9D0088E7380EA5E475611C493BC9A8C53ACE20B623899FF35D3D0711019D3887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:24.223{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8428DFF9E24517F6FE15362C04D8F30F,SHA256=93E2A91E1D3D2C7A0D0DC86114215B2EB6A6AE19C4DC65345BAE04B32D0EB30A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:21.425{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50407-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000036332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:25.812{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C9368139A370749538AE7EB0D97524,SHA256=5461702FF377D942DC30D5684A563E6695A1EF86CE8FB1C1F0CF3E85D1B7155C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:25.324{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8739E3101B687B31818C2352BEA356AC,SHA256=C398C979D44DFA3A11A30D316A965DA288E9A4A4BABFE5762B19B6FBE9FBF1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:26.898{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCE0596C721537B41E0CAF76B83D490,SHA256=2E8D6B3367D968D2A4443AA67905D945F4476A77F65835874A4E6D1A3103999A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:26.416{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18023360BF7B2E7462E648286B79012,SHA256=C95E4980254D1C26280CE0D193136B6D5D5DD81E04FF25F4680D59CC41B7A97E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:23.591{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50408-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000040862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:27.503{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A386F7285D20A96BBC53DF6CD9AFB9F,SHA256=484FD153841A764712492966780D3A5BD6F526C516235418AA446CA763DF8B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:27.513{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F10761BF1FABE9ACA567A4E55D07BF6E,SHA256=D176E9D43E6FB26DF4788AECA2215E705A9EE9BCECF723BD66284464281BB053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:28.589{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5896886551AE4B808D737F5E8194D6,SHA256=DA9819C80F36C5AA28F542D92898F6E312BF1D801EEAB14EB66595573BC11C4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:26.893{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50410-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000036337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:25.844{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50409-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:27.998{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6C7076004B9E2920827737E4D45ADC,SHA256=424C00FF6E7835E972850060AC05F9D6210B06052703C4F73DA773DB8EB21B4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.995{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.991{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.990{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.988{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.983{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.978{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.975{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000040883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.666{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBC69A80A932BE6F2F7B13464911F9A,SHA256=11A57777946B057CA3183FADAD1FD7BE13A5FBE1CFE5E5B6B002B0BEF6A79205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.652{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.646{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.643{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.642{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.640{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.619{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.614{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.603{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.597{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.592{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 354300x800000000000000036340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:27.211{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50411-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000036339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:29.086{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7FB4D900773C7396230BB66CCD7A80,SHA256=69D6373521BE6C4CA0D7F4F70F15C70DC3F6D3A7338F53734C1EA0F289E59258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.584{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.576{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.567{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.560{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.550{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.542{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.499{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:29.496{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 354300x800000000000000040864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:26.868{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63279-false10.0.1.12-8000- 23542300x800000000000000040891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:30.625{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E463BD621DE5D1D9E2F92D0B604F6DF,SHA256=58AC2018FCCD57E82FE119B1AFB37D365620E5C47593059F0F13AEEB37A07486,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:28.109{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50412-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:30.277{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1112CC4432880676B527D020CD340DF8,SHA256=F0089C9917B92CF1FF46D63B55E238EBE4B7C47D30AB767D566FDC4B0B3CF45E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:31.935{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:31.935{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:31.935{BEA5AFC2-DC7F-630D-0B00-000000007402}640768C:\Windows\system32\lsass.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:31.920{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-E595-630D-7006-000000007402}5272C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:31.729{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2211AA61050DD22F0127B4C5C6C7BD4,SHA256=43234BD640D8FB731EC72422620C0EBBCEE864F4CD9067045DF3E25215B6ECBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.688{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.680{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.678{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.674{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.672{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.671{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.670{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.647{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.638{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.608{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.599{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.588{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.583{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.581{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.578{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.576{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.574{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.573{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.569{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.568{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.567{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.566{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.564{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.562{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.560{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.556{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.551{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x800000000000000036361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:29.452{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse192.241.219.185zg-0829f-196.stretchoid.com35546-false10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal3389ms-wbt-server 10341000x800000000000000036360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.548{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.546{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.540{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.527{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.524{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.517{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.473{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.468{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.461{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.445{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.432{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.423{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.408{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.396{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000036346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.391{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000036345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.387{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 10341000x800000000000000036344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.383{3AAE424D-E5D3-630D-6803-000000007502}57525840C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012CAC190) 23542300x800000000000000036343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.381{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669D57CE9D9097E5A92106E94AB73C5A,SHA256=2AAED6A7BE4DF270E89D122291D9582C2AB6FA51A0E1B4C3FDC316F6B76AE7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.788{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A49BC5175CB397A17CD2150A5B0AB3,SHA256=37BD635D11FB7FC4734EDE34683CA3FE32B65CA83D18D71E28357B1A7625DDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:32.671{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910055BD1E4CC3A1FA554D43AE979B19,SHA256=82532ABDF98B88933FB384ACA19037D5D32FE8230B6B35043E5907E5A1126A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:30.283{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50413-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 10341000x800000000000000040917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.617{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.610{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.589{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.582{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.570{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.566{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.564{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.562{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.559{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.555{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.553{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.552{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.547{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.546{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.545{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.545{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.544{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.543{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.541{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.033{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.032{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000040921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:33.875{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB93F64D4D977B6F6C11AB9D4464981D,SHA256=1975FB8205ADC13E836305718FA998DE9778E3241D221FBA4CB5C1C23AE0D188,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.657{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.657{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.656{3AAE424D-DEE2-630D-0B00-000000007502}624672C:\Windows\system32\lsass.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.651{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EF52084172D0B71DA9F68D1AA57D2F,SHA256=4AEC8B609428EB767E225F6B233771357BAABC528425AF2D0E01E38F686BD3D6,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.649{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000036399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.648{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000036398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.646{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000036397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.644{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000036396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.643{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000036395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.643{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000036394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:33.641{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-E5D3-630D-6803-000000007502}5752C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.912{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50414-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000036392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.261{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal49231-false10.0.1.14-53domain 354300x800000000000000036391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:31.250{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98c0:9708:7b8:ffff-49231-truea00:10e:0:0:0:0:0:0-53domain 354300x800000000000000040920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:31.326{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local58471-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x800000000000000040919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:31.325{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal49231- 23542300x800000000000000040922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:34.955{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0EBA7310C8DD8BA29BCB5248C1452AB,SHA256=96FA98F0CCEFFEFAD48BB48269BC09DB280C088A81E0C9D20F258372027768E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:34.740{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F605686D8E39755F6CF96AC2BAC58D42,SHA256=BCF3F9A1B1325FE7294F539ABC99DFB02864776623A6538DB6E00BAEA91D66F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:34.662{3AAE424D-DEE2-630D-0D00-000000007502}7882844C:\Windows\system32\svchost.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:32.440{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50415-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:35.719{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4FC692F68934740DDEA43B066C83A2,SHA256=71A607D80A1A74242733D1D0CC7192A4FEDDB164401602ACC7E390F2F902FC58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:32.825{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63280-false10.0.1.12-8000- 23542300x800000000000000036410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:36.817{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4079A7B52B4B66814DF25AA968866A06,SHA256=F54795A9EA744E571183867371E7AC3CDF115D28A2659014E6166D0CAEBBCB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:36.050{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6E8A0E13E46D1F9CD491CF8F6F4F59,SHA256=9A08941006E51FA1AE13A5859358840630EC67FB416F76E15089C44FB175565A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:34.599{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50416-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:37.913{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4A23244123DBEA4A04C05575D239B3,SHA256=1C8235AD89CDB6D6725DE5A79866FF1B691463584E00D9C2653F497AA61D5727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:37.138{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9968DE2F512834089DC0CB5AB271BE03,SHA256=60B5E64A68EB1EABC3195521D24B54E796C493DA19988EED4F30F70E0647CBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:38.543{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\respondent-20220830094700-064MD5=C491190F90C7972FBE76687DCEFF5872,SHA256=DB0E0926111D00D550C987F8CEF70C29389AC9CA5369CEC4CC3BEF95D75DEA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:38.240{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C99ADB8452101F4DBB3B9386667CAC4,SHA256=7C5791CFC89EC04AF70563D5795ABD19F31ACB75B856343F8019564605792832,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:36.863{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50417-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000040929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:39.550{BEA5AFC2-DC92-630D-2300-000000007402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00bf26b22d19118c1\channels\health\surveyor-20220830094658-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:39.330{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AA527C28625DAEABE071295F4F7A42,SHA256=B2230B24282FF803398D5912116E34BD48BB6F991BE51358D462E914A3E4BE62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:36.920{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50418-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:39.010{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4235A63584A01E804E435450D52B7F51,SHA256=3C0CE32ADE1C2C4123162E6E055D44DA30BBCFAC7372D1AB051923BE74EDCA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:40.421{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CD8868B3E6302D15ED32E097D355BD,SHA256=040CC1D06943CF401E0C03255A6A9483FFABE90C4E4D361CB8089D8C6CC25FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.978{3AAE424D-EC34-630D-5004-000000007502}47045212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.978{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000036472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.978{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000036471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.900{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E93063079F47ADC90DE9921D2F761CDF,SHA256=24C4FC03DD5BAB5FCDE0FB98B228A7CA5CC425A430C1FC854889A47DD098BC41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.817{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.817{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.815{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.815{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.815{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x800000000000000036465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.815{3AAE424D-E5D3-630D-6803-000000007502}57525860C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x800000000000000036464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.781{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.780{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.779{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.778{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 354300x800000000000000036460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:39.121{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50419-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 734700x800000000000000036459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.763{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.763{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000036457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.763{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.763{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000036455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.763{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000036454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.763{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000036453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.747{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000036452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000036451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000036450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000036449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000036448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000036447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000036446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000036445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000036444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000036443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000036442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000036441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000036439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.731{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000036432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000036427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000036425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000036424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000036422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.716{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.560{3AAE424D-EC34-630D-5004-000000007502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:40.110{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1150456660D2E8CAA77276108F505861,SHA256=25610E51D62BAFA4306341A77A3E64E104036B5074A9BBB2DEC8C4A82BA2BCEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:41.504{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18487D484BD0733A5FB59666290DD299,SHA256=D4F1A392B24A2CB6FC95B6C2CE66ABE9A1FAF02F7AF2E142EA103245E7C33B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.984{3AAE424D-DF47-630D-9900-000000007502}680NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C8A9C33DC3B569B02166AE1C12FA3640,SHA256=759153488BF0FB7E21144620575D9B9E75E1E410632176D10307FAA5E8C06D06,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.828{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000036530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.826{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000036529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.826{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000036528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000036524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000036522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x800000000000000036520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.667{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EFDCC519F806334629BE900AF1A5D3E,SHA256=F9B4EFF3E35CA4DD4D4BFB6E7214B0D78991431C810F6839D13B159C8F3F405C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000036518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000036517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000036514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000036513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000036511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000036510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000036509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000036508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000036507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000036505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000036504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000036502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000036500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000036497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000036496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000036495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000036494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000036493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000036491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000036490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x800000000000000036487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.651{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0D64EC3342ED4B69C52011B62CB1FA,SHA256=3715C705644BAB0ACA1A0377CA283704B6CD6CD1257E6021889E94FF34191534,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000036484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000036483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000036481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.636{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.449{3AAE424D-EC35-630D-5104-000000007502}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:37.947{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63281-false10.0.1.12-8000- 23542300x800000000000000036585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.803{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3A6286DCDFFD34FD4BCA805E6F456D,SHA256=FB00B862D671DFC12B7485EC8F2ED5F958B7035F469C2B5481B83DB1A14A166E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.800{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE156C70899C619A5B34ECC0ABC300AE,SHA256=D4D1CF0C06E11DCDDA2DF24C74E7587797CCD0A97FB0734704B66718516FB20E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.688{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000036582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.688{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000036581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.688{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000040934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:42.608{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C486A06D6B620BF537B837F9DAEC3131,SHA256=D3D8B67C066A8DFF7606426CB197359DDBB2EEFB1F1909F742F278CAE0C36B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:42.210{BEA5AFC2-DC81-630D-1000-000000007402}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C047260266FF33740790885356B3728,SHA256=0B5611623900705B334066DBF25AAF2DDA20AF50430F26FABD794348174338EF,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.500{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.500{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.500{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.500{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000036576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.500{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.500{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000036574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.500{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.500{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000036572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000036571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000036567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000036566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000036563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000036561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.485{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000036559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000036558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000036557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000036556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000036555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000036553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000036551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000036550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000036547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000036546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000036545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000036544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000036542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000036541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000036539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.469{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.329{3AAE424D-EC36-630D-5204-000000007502}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:41.280{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50420-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000040935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:43.688{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D73B633130F64B7BD8087919C085329,SHA256=1980AB66CBDEDE4EBD067AC35588AA1C76933A05B61238634293AE306AEED2E4,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.585{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000036635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.585{3AAE424D-EC37-630D-5304-000000007502}1604832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.585{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000036633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.585{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000036632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.397{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.381{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.381{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.381{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000036628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.381{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.381{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000036626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.381{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.381{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000036624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000036623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000036619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000036617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000036616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000036612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000036611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000036609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000036608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000036607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000036606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000036605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000036603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000036601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000036599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000036598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000036597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000036595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000036594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.366{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000036592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.350{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.350{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.350{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.350{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.350{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.350{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.226{3AAE424D-EC37-630D-5304-000000007502}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000036738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.993{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.993{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.993{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000036734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000036732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000036730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000036729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000036725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000036724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000036722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000036719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000036718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000036716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000036715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000036714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000036713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000036712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000036710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000036709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000036706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000036704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000036703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000036702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.977{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000036700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000036699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000036697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.962{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.782{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:42.781{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50421-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:44.774{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA05C0DCE883F705C9D9DFFFE3E5D77,SHA256=5C6706B7EFE33C82DC65CECF8513238C8E31C55F1CD59ED350A5D30DDCC77F6F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.344{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000036688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.344{3AAE424D-EC38-630D-5404-000000007502}46043012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.344{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000036686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.344{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000036685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.139{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.139{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.139{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.139{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000036681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.124{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.124{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000036679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.124{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.124{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000036677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000036676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000036671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000036669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000036668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000036665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000036664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000036663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000036662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000036661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000036660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000036659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000036657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000036654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000036653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000036652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x800000000000000036650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31ACBE18AEC046E473ECD3354C83218,SHA256=0DA012834CB0F41D87B179BEF708814B9406E51714D5E9E8C8C3D9ED5714710D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000036647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000036646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000036644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-DEE2-630D-0500-000000007502}408424C:\Windows\system32\csrss.exe{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.108{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:44.109{3AAE424D-EC38-630D-5404-000000007502}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:43.555{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50422-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000040937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:45.875{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFC6C412E16E9E8C4CE618BCFC9CA1E,SHA256=4E6B483DC744C229CF45421179D8BA67230F75BE2311513DB1E5545059A6FC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:45.222{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057ABBD46D6AE5B14C21705C22F67DE9,SHA256=444FB64EAD926E79062E7B8D9E35CF383124284CE0044CBE79BDDE672C3357B2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:45.149{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000036741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:45.149{3AAE424D-EC38-630D-5504-000000007502}29325564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:45.134{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000036739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:45.134{3AAE424D-EC38-630D-5504-000000007502}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000040939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:46.964{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28E0837DA6B7E5F7FE579A480B4B6A8,SHA256=E53AE36B2E7ABA33E19275EC42471EF2619FA5A5384257A0036E5531B7A632C0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.397{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000036795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.397{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000036794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.397{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000036793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.319{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505B3A4B16055A7C6F1A182FD97708BC,SHA256=704DEA08072DFA97F25CE0C8408915EFB6101261AC4142B9580DEC7BBB4AA7C7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000036792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.257{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000036791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.257{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000036790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.257{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000036789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.257{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000036788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.257{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000036787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.257{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000036786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x800000000000000036785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000036784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x800000000000000036783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000036782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000036781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000036780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000036779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000036778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000036777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000036776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000036775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000036774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000036773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000036772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000036771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000036770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000036769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000036768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000036767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000036766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000036765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000036764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000036763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000036762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000036761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x800000000000000036760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.241{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000036759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000036758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000036756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-DF47-630D-9D00-000000007502}23402984C:\Windows\system32\conhost.exe{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000036755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x800000000000000036754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000036753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000036752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000036751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-DEE2-630D-0500-000000007502}408524C:\Windows\system32\csrss.exe{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.225{3AAE424D-DF47-630D-9900-000000007502}6802832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:46.100{3AAE424D-EC3A-630D-5604-000000007502}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3AAE424D-DEE2-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:43.960{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63282-false10.0.1.12-8000- 23542300x800000000000000040949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.970{BEA5AFC2-DCF5-630D-AC00-000000007402}4112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9F8A88100669B73D1E93C7D2279E5213,SHA256=9F2E6C1E605D2A4394CE0E5CF0125ABFD697BC975884FB89D62560C910B9A418,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:45.818{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50423-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000036798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:47.450{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967C3A6B10677B2B85983A6C1300A61C,SHA256=6FEE9950F3DDCAA7A6163BD4611105B64A19ACCC7576A0B1C29039A9EBE1A3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:47.450{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3F93A5656307352849B3803C932D86A,SHA256=DDD9057BC17E2596302E4708C34218C2F04E4DBD2F157D9CD5C213FCAEF1927D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.611{BEA5AFC2-EC3B-630D-4907-000000007402}54645940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.454{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC3B-630D-4907-000000007402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.454{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.454{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.454{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.454{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.454{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EC3B-630D-4907-000000007402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.454{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC3B-630D-4907-000000007402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:47.455{BEA5AFC2-EC3B-630D-4907-000000007402}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:48.525{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A696863EDAAC0FB2EE0C6EA865A1617,SHA256=C9F5D083C64A15AEB69222F1400C7023F46DC0DD028FE1EA18968FF2BC799F43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.953{BEA5AFC2-EC3C-630D-4B07-000000007402}58525252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.796{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC3C-630D-4B07-000000007402}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.796{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.796{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.796{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.796{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.796{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EC3C-630D-4B07-000000007402}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.796{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC3C-630D-4B07-000000007402}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.797{BEA5AFC2-EC3C-630D-4B07-000000007402}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.479{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27E8FE434C59D5F83CA8ECDD7CEB7FB,SHA256=94A5A6AA5D55A7181BA7410E29D21C50E68A2DE0B6AF7553A9ECB8CC77461FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.479{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2F0A0FC24F5BB6567C4CAA4171431A1,SHA256=87821CD9B3CBDB63E5A8DE6B1CAA11F01AFFE47E3D37125BA4EDADE739780C44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.111{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC3C-630D-4A07-000000007402}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.111{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.111{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.111{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.111{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.111{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EC3C-630D-4A07-000000007402}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.111{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC3C-630D-4A07-000000007402}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.112{BEA5AFC2-EC3C-630D-4A07-000000007402}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:48.048{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2789534D561C465D64B6EC8509FEA6,SHA256=AE92B485974C51CF0E117F5770CEF244CCFCF5BE9801F444FB7E3DD2C0CB8CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:47.994{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50424-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000036801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:49.728{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC713DEE04716FF2EEE7480AD085D0B,SHA256=DA1359DB6E597FA76FADD326BDB508F2FE3AC5DA87034083BCE005E11D28D270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.929{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2900-000000007402}2672C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.925{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.923{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2600-000000007402}2496C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.922{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2300-000000007402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.917{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2200-000000007402}2440C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.912{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2100-000000007402}2432C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.909{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2000-000000007402}2424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.612{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1F00-000000007402}2412C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.607{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-1E00-000000007402}2340C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.604{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC8A-630D-1C00-000000007402}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.603{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC82-630D-1A00-000000007402}1620C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.601{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1700-000000007402}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.578{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1600-000000007402}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.573{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.561{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1400-000000007402}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.556{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1300-000000007402}892C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.551{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1200-000000007402}684C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.544{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1100-000000007402}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.537{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-1000-000000007402}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.529{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0F00-000000007402}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.522{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0E00-000000007402}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.511{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC81-630D-0D00-000000007402}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.504{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC80-630D-0C00-000000007402}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.474{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0B00-000000007402}640C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.471{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC7F-630D-0900-000000007402}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000040978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.467{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC3D-630D-4C07-000000007402}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.465{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.465{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.465{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.464{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EC3D-630D-4C07-000000007402}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.464{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.464{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC3D-630D-4C07-000000007402}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.463{BEA5AFC2-EC3D-630D-4C07-000000007402}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.031{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FB75E8D157E3CC2530BBA9614AE28F,SHA256=D181AA4E3EE74EE2B0C471D37A565C79DBE7122DE5C60DCF1A0E910C0FACEDDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:48.771{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50425-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:50.809{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE165337B5E11E3D85FDAC2F642F290,SHA256=E3BE1F04B4C6AE0A3F0BCA9CC13DC6C9889E4A0A0A2FC8C009BC16B48C0B2D38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.725{BEA5AFC2-EC3E-630D-4D07-000000007402}39083976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.583{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC3E-630D-4D07-000000007402}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.583{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.583{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.583{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.583{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.583{BEA5AFC2-DC7F-630D-0500-000000007402}416432C:\Windows\system32\csrss.exe{BEA5AFC2-EC3E-630D-4D07-000000007402}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.583{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC3E-630D-4D07-000000007402}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.584{BEA5AFC2-EC3E-630D-4D07-000000007402}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:50.295{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AA56BC168A9C9C2C72AEACAE06EADC,SHA256=E6038ABB82EDA4E8DB73D252484C6EC14CCEC14D6590BD2ADF620CB0F105A0B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.952{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2C00-000000007402}2096C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.951{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC92-630D-2A00-000000007402}2908C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.902{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC3F-630D-4F07-000000007402}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.902{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.902{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.902{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.902{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.902{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EC3F-630D-4F07-000000007402}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.902{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC3F-630D-4F07-000000007402}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.904{BEA5AFC2-EC3F-630D-4F07-000000007402}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:49.894{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63283-false10.0.1.12-8000- 23542300x800000000000000041022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.399{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F49FE39B8CFD9F0DAEA043F9122D0E,SHA256=4DE057806F9317D89D04B779B703111C0D0CE2B899896B83FFA4272E2FD333FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.821{3AAE424D-DEE3-630D-1100-000000007502}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FA2F24BE4CA554A34A1D709980E9AF21,SHA256=573E7CD6B3D24BD6864540E3A4849701A7A9D924CCFAE34072AC6C9FCCD64334,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.762{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.759{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3204-000000007502}1752C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5285_none_7f19056821dfe0b9\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.757{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EB6A-630D-3104-000000007502}2680C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.754{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-EAC5-630D-1804-000000007502}4424C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.750{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9303-000000007502}2864C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.750{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E695-630D-9203-000000007502}5504C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.748{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5F8-630D-7E03-000000007502}3772C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.720{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CD-630D-6503-000000007502}4996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.698{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5CC-630D-6303-000000007502}4848C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.658{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-5403-000000007502}3604C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.643{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C4-630D-4B03-000000007502}2388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.634{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C3-630D-4803-000000007502}3036C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.629{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C1-630D-4303-000000007502}3720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.627{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-E5C0-630D-4103-000000007502}3764C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.623{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF5D-630D-E800-000000007502}1876C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.615{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF54-630D-E300-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.611{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.610{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9D00-000000007502}2340C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.606{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DF47-630D-9900-000000007502}680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.605{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6500-000000007502}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.604{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEEC-630D-6400-000000007502}3200C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.603{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3600-000000007502}2040C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.601{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE5-630D-3500-000000007502}2636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.599{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE4-630D-2400-000000007502}2480C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.597{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-2200-000000007502}2280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.590{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1E00-000000007502}1984C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.580{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1D00-000000007502}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.573{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1C00-000000007502}1944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.570{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1A00-000000007502}1788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.559{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1800-000000007502}1696C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.530{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1700-000000007502}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.525{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1600-000000007502}1164C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.511{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1500-000000007502}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.472{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1400-000000007502}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.466{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.456{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1200-000000007502}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.445{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1100-000000007502}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.434{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-1000-000000007502}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.423{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0F00-000000007502}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.412{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE3-630D-0E00-000000007502}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.404{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0D00-000000007502}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.394{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0C00-000000007502}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.375{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000036805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:51.371{3AAE424D-E5D3-630D-6803-000000007502}57525784C:\Program Files\Aurora-Agent\aurora-agent.exe{3AAE424D-DEE2-630D-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x800000000000000041021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.259{BEA5AFC2-DCF5-630D-B000-000000007402}40642216C:\Windows\system32\conhost.exe{BEA5AFC2-EC3F-630D-4E07-000000007402}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.259{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.259{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.259{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.259{BEA5AFC2-DC80-630D-0C00-000000007402}8524516C:\Windows\system32\svchost.exe{BEA5AFC2-DC92-630D-2500-000000007402}2488C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.259{BEA5AFC2-DC7F-630D-0500-000000007402}416532C:\Windows\system32\csrss.exe{BEA5AFC2-EC3F-630D-4E07-000000007402}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.259{BEA5AFC2-DCF5-630D-AC00-000000007402}41124624C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA5AFC2-EC3F-630D-4E07-000000007402}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:51.259{BEA5AFC2-EC3F-630D-4E07-000000007402}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA5AFC2-DC7F-630D-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.527{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E598-630D-7306-000000007402}5672C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.520{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E596-630D-7106-000000007402}5496C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.500{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E589-630D-6306-000000007402}1908C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.494{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5706-000000007402}4440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.486{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E587-630D-5406-000000007402}4264C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.480{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E585-630D-4E06-000000007402}1460C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000041048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.479{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D14AF0E447817B86FE178A08EAA75C9,SHA256=72EFBCDF5ED1E9D4673CC62B14AF7CBC875D78C396F63171A7EB7A58A419D1CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.478{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E584-630D-4C06-000000007402}2988C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.475{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-E492-630D-2D06-000000007402}4356C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.472{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD0C-630D-FC00-000000007402}4272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.470{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DD02-630D-F800-000000007402}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.468{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.467{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-B000-000000007402}4064C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.463{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.462{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7700-000000007402}3900C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.461{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA7-630D-7600-000000007402}4060C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.460{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7400-000000007402}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.459{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DCA1-630D-7300-000000007402}3288C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.458{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3E00-000000007402}3628C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000041035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.456{BEA5AFC2-E595-630D-7006-000000007402}52725408C:\Program Files\Aurora-Agent\aurora-agent.exe{BEA5AFC2-DC94-630D-3D00-000000007402}3584C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x800000000000000036850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:52.323{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A77951BAF8FDB89155019B7C655101,SHA256=5F844A52CF987B2A6D80BD443C901C578586FE7BE7C57EA91665C0C57C596F50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:52.092{BEA5AFC2-EC3F-630D-4F07-000000007402}1116484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA5AFC2-DCF5-630D-AC00-000000007402}4112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:53.558{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CB97FD309447DC9E13E9BA0F4AA67E,SHA256=328D84C4124E381F5BD14A833F3D5DA427D61A81C8C68D5CEB362D5310DC2F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:53.391{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B32204EC5362E5B342EA41D009DCC3,SHA256=1B0204A1B256D06143EB7BBE2B3EDDC4A252501C9BB1BCC6612D90F19C19A366,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:50.246{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50426-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 23542300x800000000000000041056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:54.652{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9782FB092A5E1F81ABD00BED5A0A58B,SHA256=BED7B8FFBCC9C68CFE6C20D803FD991B219043C28AD9DEF4F020E9BE15A0F1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:54.636{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A3552A30052F26C13627CB5A4A0BA892,SHA256=5C7AC5508AE1C5E4562AA50A53608873C2D0FF4E6F48A0538EC8CC3E75C0E053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:54.570{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:54.568{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:54.568{3AAE424D-DEE2-630D-0C00-000000007502}720852C:\Windows\system32\svchost.exe{3AAE424D-DEE3-630D-1300-000000007502}692C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:54.487{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585CEFD9657337481C2FA984C6D7188F,SHA256=D2C93DF708E3BF30528413C712DD60F1C76B426A354D94D91C778EB435836373,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:52.503{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50427-false99.86.63.60server-99-86-63-60.yto50.r.cloudfront.net443https 23542300x800000000000000041057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:55.731{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C1B762B68E724AC399F0EC9369D8BB,SHA256=6557335FB7CBCC2D2B5DDABC6C8712B1CE23E61CDBE25C0EA13A233AE0706961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:55.571{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60668A6FFB4C57CEFEF81DF5E402361,SHA256=2D867BC1997BFA993CF8A951AF3F420149F7BEE91E84BA0B2BB4903D8D15B6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:56.823{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A9BC57A2E3AD196F59EB0D935FF5C9,SHA256=A55867C0B2779B583C4FEA03E66017840D0FCFEF95BDA85C483B96157E08C0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:56.668{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D798D3DD8E6CFA11A5CDFA40A482BE,SHA256=817C8DE16278587C513AA989720B5EA25DABCF4664DD315690DE5F9BA6697AB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:54.683{3AAE424D-EBFD-630D-4E04-000000007502}1044D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50429-false13.33.165.110server-13-33-165-110.yto50.r.cloudfront.net443https 354300x800000000000000036860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:53.951{3AAE424D-DF4E-630D-CA00-000000007502}744C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-115.us-east-2.compute.internal50428-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:57.924{BEA5AFC2-DD02-630D-F800-000000007402}632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC9665A8F0737D58273E08496B9CC99,SHA256=A716D21DB324CE731E7AF153E0DD1D94F1586DF0E6BE7B04CC6E511DCD732416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-115-2022-08-30 10:53:57.757{3AAE424D-DF54-630D-E300-000000007502}3432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3759E8FBBC72C92121E3C85E2177D85E,SHA256=415172BD698C62FE02C694AC20F89EB98628AA00288D621C612EFBA87181085A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-146.attackrange.local-2022-08-30 10:53:55.017{BEA5AFC2-DCFC-630D-DD00-000000007402}5056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-146.attackrange.local63284-false10.0.1.12-8000-